Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

'cisco-support' privilege account in TACACS

Hi guys, we opened a TAC case recently and TAC engineer asked us to issue a few commands in ASR to collect the info. But some commands need 'cisco-support' privilege and we need to add 'cisco-support' privilege into TACACS. Anyone could how me how to add it in TACACS and ASR?

Thanks. Leo

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

'cisco-support' privilege account in TACACS

Hi Leo,

A local user database would be used only in a case when your tacacs server is down and used as a backup access.  Under normal working conditions a user with root privileges should be defined on the tacacs server.

Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.

Regards,

/A

9 REPLIES
Cisco Employee

'cisco-support' privilege account in TACACS

Hello Leo,

Here the doc on how to do this:

https://supportforums.cisco.com/docs/DOC-15944

Regards,

/A

New Member

'cisco-support' privilege account in TACACS

Hi Alex,

I am trying to add cisco-support privilege to one local user to test, but the authentication was failed when I tried to login with console or ssh. The vesion is 4.2.0 and following is the aaa config. Am I missing anything? Thanks.

username test

group root-system

group cisco-support

password 7 070E315C420C485744

!

aaa accounting exec secure start-stop group AAA

aaa accounting exec console start-stop group AAA none

aaa accounting commands secure start-stop group AAA

aaa accounting commands console start-stop group AAA none

aaa group server tacacs+ AAA

server a.a.a.a

server b.b.b.b

!

aaa authorization exec secure group AAA local

aaa authorization exec console group AAA local

aaa authorization exec default none

aaa authorization commands secure group AAA

aaa authorization commands console group AAA none

aaa authorization commands default none

aaa authorization eventmanager default local

aaa authentication login secure group AAA local

aaa authentication login console group AAA local

aaa authentication login default local

aaa authentication login eventmanager local

Regards, Leo

Cisco Employee

'cisco-support' privilege account in TACACS

Hi Leo,

A local user database would be used only in a case when your tacacs server is down and used as a backup access.  Under normal working conditions a user with root privileges should be defined on the tacacs server.

Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.

Regards,

/A

New Member

'cisco-support' privilege account in TACACS

Thanks Alex, I had found this answer in ASR9k config document. Anyway, appreciated your reply.

Regards, Leo

New Member

'cisco-support' privilege account in TACACS

Hi Alex, one more question, what could be the risk if one account get the cisco-support privilege, say some show commands could impact the ASR performance? I am thinking if we should add this privilege to every team members or should create a generic account can be used when they need. What is the best practics from your side?

Thanks. Leo

Cisco Employee

'cisco-support' privilege account in TACACS

Hi Leo,

My recommendation would be to enable cisco-support group for your engineers. It is extremely frustrating for everybody to find out that we can not run some commands during a network down situation.

We have a TAC request as well to merge root and cisco-support together as we don’t see much added value of having them separated.

Regards,

/A

New Member

'cisco-support' privilege account in TACACS

Thanks Alex.

New Member

'cisco-support' privilege account in TACACS

Hi Alex, sorry to bother, I am trying to add the 'cisco-support' in TACACS for everyone.We are running ACS 5.1.0.44.3, but I couldn't find any documents show how to do that. Could you please help confirm if my following steps are correct? Should the requirement be the mandatory? Where can I find any doc can explain the value setting? Thanks.

In ACS GUI, Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles -> View: "Shell Profile Priv. Level 15'' -> Go to Custom Attributes tag

Attribute: Cisco support

Requirement: Mandatory

Value: task="# root-system, # cisco-support"

Regards, Leo

Cisco Employee

Re: 'cisco-support' privilege account in TACACS

Sorry, i don’t have ASC to verify it but have a snapshot from a past.

In this example we use priv13

XR config:

!

usergroup priv13 <--------- This is mapped to Privilege 13 on ACS (Cisco group)

  taskgroup root-system

  taskgroup cisco-support

!

In ASC Check on cisco-av-pair

Enter text “shell:priv-lvl” to define privilege group for the group

===========================================

"shell:priv-lvl=13”

"shell:tasks*=#root-system,#cisco-support”

===========================================

1261
Views
15
Helpful
9
Replies