Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Privilege Level for Tacacs Account in Nexus 7000

Hi,

I have configured the Tacacs (ACS 4.2v) on Nexus 7000 (as mentioned below) and works fine but unlike IOS (6509) It's doesn't prompt that you are in userexec mode (>) and then need to type enable and password for full privilege.

In n7k when I entered into "configure terminal" It won't allow me to access other commands.

How to login into level 15 privilege mode after authenticating from tacacs

(config)# show running-config tacacs+

tacacs-server key 7 "xxxxx"

tacacs-server host x.x.x.x key 7 "xxxx"

aaa group server tacacs+ TacServer

    server x.x.x.x (same ip as tacacs-server host)

    use-vrf management

    source-interface Vlan2

(config)# show running-config aaa

aaa authentication login default group TacServer

aaa authentication login console local

aaa user default-role

Here below are the commands accessible in "Terminal" currently

(config)# ?

  no        Negate a command or set its defaults

  username  Configure user information.

  end       Go to exec mode

  exit      Exit from command interpreter

isb.n7k-dcn-agg-1-sw(config)#

This document was generated from the following discussion: Privilege Level for Tacacs Account in Nexus 7000

Version history
Revision #:
1 of 1
Last update:
‎09-02-2013 01:23 AM
Updated by:
 
Labels (1)
Comments
New Member

Hi,

After scratching my head found the resolution, Need to configure this attribute per user or per group.

First,  go to Interface Configuration -> TACACS+ and enable "Display a  window for each service selected in which you can enter customized  TACACS+ attributes".

Next,  go to the user or group where you want to grant this role and check the  box next to "Shell (exec)" and in the custom attributes field below add  the role assignment.

Note:  if you will be authenticating on both NX-OS and IOS devices, use *  instead of = to make the role optional or the IOS devices will fail  authorization.

ie:

shell:roles*"network-admin"