Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1461
Views
5
Helpful
2
Replies

console authorization on Nexus 7000 switch not working

baghimir
Level 1
Level 1

‎11-30-2011 04:50 PM - edited ‎03-07-2019 03:40 AM

Hi,

I'm trying to enable command authorization for ssh as  well as console access to a Nexus 7010 box (version 5.0). Following is  the config:

aaa group server tacacs+ ACS5-1

    server 10.12.19.11

    server 10.12.19.12

    source-interface loopback0

snmp-server enable traps aaa server-state-change

aaa authentication login default group ACS5-1 local

aaa authorization config-commands default group ACS5-1 local

aaa authorization commands default group ACS5-1 local

NX# sh aaa authentication

         default: group ACS5-1

         console: group ACS5-1

NX#

NX# show aaa authorization

         pki-ssh-cert: local

         pki-ssh-pubkey: local

AAA command authorization:

         default authorization for config-commands: group ACS5-1 local

         default authorization for commands: group ACS5-1 local

As  you can see, the default group configuration ACS5-1 for authenticatoin  has applied to both defaults and console. But the command authorization  does not appear to be applied to the console. As a result, when i login  from the console and get authenticated, the command authorization does  not trigger and i can run commands I'm not supposed to. In the  configuration, I do not see "aaa authorization console" option unlike we  have in IOS.

Anything i'm missing ? please help.

Labels:
0 Helpful
2 Replies 2

phiharri
Level 1
Level 1

‎12-01-2011 06:35 AM

Hey Badri,

Check the documentation:

"For Cisco NX-OS Releases 4.x and 5.x, command authorization is available only for non-console sessions."

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html

Command authorization for console sessions is coming in NX-OS 6.x.

Hope this helps,

/Phil

ausjustin
Level 1
Level 1
In response to phiharri

‎04-29-2013 07:30 AM

Hi baghimir

have you resolved this issue yet  ? as I had similar issue like you , but I cannot get the local user pass for authentication via by console interface .

we're running 5.1(3)  , do you think it was bugs on this version ?

Thanks

Justin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card