cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6090
Views
0
Helpful
8
Replies

Nexus, command authorization using TACACS.

andrea.meconi
Level 2
Level 2

Hello.

Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.

Thanks.

Regards.

Andrea

1 Accepted Solution

Accepted Solutions

robdowson
Level 1
Level 1

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

View solution in original post

8 Replies 8

robdowson
Level 1
Level 1

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

Thanks Rob.

We are receiving this authorization error

    Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)


There is some special setting on ACS?

Regards.

Andrea

Hi Andrea,

Hmm - odd. Not sure then - I don't believe we did anything special in our ACS to allow this to work. It was just as simple as adding the network devices - and putting them in a group. But our old ACS was very simple - essentially just one big admin group which assigned everyone full level15 access to every device - so may be worth looking at your groups and permissions etc.

Sorry I can't be any more help!

Thanks,

Rob...

Rob, for your information, we need to add a command set so all work fine.

Regards.

Andrea

Can you please let me know what you did to fix your problem..I'm using the exact config and have the same issue...I will really appreciate it if you lem me know what you did...

thanx

Hello.

Using Cisco Secure ACS 4.2, we define a command set and associate it to the group.

Hope this helps.

Regards.

Andrea

Hi Andrea. any idea how do we fix on cisco ACS 5.3 ?

Hi.

I'll work on this next month.

I believe I can create a command set under Policy Elements and associate it to a group.

Regards.

Andrea

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: