Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nexus, command authorization using TACACS.

Hello.

Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.

Thanks.

Regards.

Andrea

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Nexus, command authorization using TACACS.

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

8 REPLIES
New Member

Nexus, command authorization using TACACS.

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

New Member

Nexus, command authorization using TACACS.

Thanks Rob.

We are receiving this authorization error

    Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)


There is some special setting on ACS?

Regards.

Andrea

New Member

Nexus, command authorization using TACACS.

Hi Andrea,

Hmm - odd. Not sure then - I don't believe we did anything special in our ACS to allow this to work. It was just as simple as adding the network devices - and putting them in a group. But our old ACS was very simple - essentially just one big admin group which assigned everyone full level15 access to every device - so may be worth looking at your groups and permissions etc.

Sorry I can't be any more help!

Thanks,

Rob...

New Member

Nexus, command authorization using TACACS.

Rob, for your information, we need to add a command set so all work fine.

Regards.

Andrea

New Member

Nexus, command authorization using TACACS.

Can you please let me know what you did to fix your problem..I'm using the exact config and have the same issue...I will really appreciate it if you lem me know what you did...

thanx

New Member

Nexus, command authorization using TACACS.

Hello.

Using Cisco Secure ACS 4.2, we define a command set and associate it to the group.

Hope this helps.

Regards.

Andrea

Nexus, command authorization using TACACS.

Hi Andrea. any idea how do we fix on cisco ACS 5.3 ?

New Member

Nexus, command authorization using TACACS.

Hi.

I'll work on this next month.

I believe I can create a command set under Policy Elements and associate it to a group.

Regards.

Andrea

4147
Views
0
Helpful
8
Replies