Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
15
Helpful
9
Replies

'cisco-support' privilege account in TACACS

Go to solution
xzjleo2005
Level 1
Level 1

‎08-30-2012 07:29 PM

Hi guys, we opened a TAC case recently and TAC engineer asked us to issue a few commands in ASR to collect the info. But some commands need 'cisco-support' privilege and we need to add 'cisco-support' privilege into TACACS. Anyone could how me how to add it in TACACS and ASR?

Thanks. Leo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee
In response to xzjleo2005

‎09-03-2012 11:44 PM

Hi Leo,

A local user database would be used only in a case when your tacacs server is down and used as a backup access.  Under normal working conditions a user with root privileges should be defined on the tacacs server.

Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.

Regards,

/A

View solution in original post

9 Replies 9

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee

‎08-31-2012 12:05 AM

Hello Leo,

Here the doc on how to do this:

https://supportforums.cisco.com/docs/DOC-15944

Regards,

/A

Go to solution
xzjleo2005
Level 1
Level 1
In response to Alexei Kiritchenko

‎09-03-2012 06:48 PM

Hi Alex,

I am trying to add cisco-support privilege to one local user to test, but the authentication was failed when I tried to login with console or ssh. The vesion is 4.2.0 and following is the aaa config. Am I missing anything? Thanks.

username test

group root-system

group cisco-support

password 7 070E315C420C485744

!

aaa accounting exec secure start-stop group AAA

aaa accounting exec console start-stop group AAA none

aaa accounting commands secure start-stop group AAA

aaa accounting commands console start-stop group AAA none

aaa group server tacacs+ AAA

server a.a.a.a

server b.b.b.b

!

aaa authorization exec secure group AAA local

aaa authorization exec console group AAA local

aaa authorization exec default none

aaa authorization commands secure group AAA

aaa authorization commands console group AAA none

aaa authorization commands default none

aaa authorization eventmanager default local

aaa authentication login secure group AAA local

aaa authentication login console group AAA local

aaa authentication login default local

aaa authentication login eventmanager local

Regards, Leo

0 Helpful

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee
In response to xzjleo2005

‎09-03-2012 11:44 PM

Hi Leo,

A local user database would be used only in a case when your tacacs server is down and used as a backup access.  Under normal working conditions a user with root privileges should be defined on the tacacs server.

Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.

Regards,

/A

Go to solution
xzjleo2005
Level 1
Level 1
In response to Alexei Kiritchenko

‎09-04-2012 04:34 PM

Thanks Alex, I had found this answer in ASR9k config document. Anyway, appreciated your reply.

Regards, Leo

0 Helpful

Go to solution
xzjleo2005
Level 1
Level 1
In response to Alexei Kiritchenko

‎09-04-2012 07:28 PM

Hi Alex, one more question, what could be the risk if one account get the cisco-support privilege, say some show commands could impact the ASR performance? I am thinking if we should add this privilege to every team members or should create a generic account can be used when they need. What is the best practics from your side?

Thanks. Leo

0 Helpful

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee
In response to xzjleo2005

‎09-04-2012 11:53 PM

Hi Leo,

My recommendation would be to enable cisco-support group for your engineers. It is extremely frustrating for everybody to find out that we can not run some commands during a network down situation.

We have a TAC request as well to merge root and cisco-support together as we don’t see much added value of having them separated.

Regards,

/A

0 Helpful

Go to solution
xzjleo2005
Level 1
Level 1
In response to Alexei Kiritchenko

‎09-05-2012 05:27 PM

Thanks Alex.

0 Helpful

Go to solution
xzjleo2005
Level 1
Level 1
In response to Alexei Kiritchenko

‎09-11-2012 08:09 PM

Hi Alex, sorry to bother, I am trying to add the 'cisco-support' in TACACS for everyone.We are running ACS 5.1.0.44.3, but I couldn't find any documents show how to do that. Could you please help confirm if my following steps are correct? Should the requirement be the mandatory? Where can I find any doc can explain the value setting? Thanks.

In ACS GUI, Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles -> View: "Shell Profile Priv. Level 15'' -> Go to Custom Attributes tag

Attribute: Cisco support

Requirement: Mandatory

Value: task="# root-system, # cisco-support"

Regards, Leo

0 Helpful

Go to solution
Alexei Kiritchenko
Cisco Employee
Cisco Employee
In response to xzjleo2005

‎09-11-2012 11:57 PM

Sorry, i don’t have ASC to verify it but have a snapshot from a past.

In this example we use priv13

XR config:

!

usergroup priv13 <--------- This is mapped to Privilege 13 on ACS (Cisco group)

  taskgroup root-system

  taskgroup cisco-support

!

In ASC Check on cisco-av-pair

Enter text “shell:priv-lvl” to define privilege group for the group

===========================================

"shell:priv-lvl=13”

"shell:tasks*=#root-system,#cisco-support”

===========================================

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents