topic Nexus, command authorization using TACACS. in Network Access Control

Nexus, command authorization using TACACS.

andrea.meconi — Mon, 11 Mar 2019 01:31:58 GMT

Hello.

Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.

Thanks.

Regards.

Andrea

Nexus, command authorization using TACACS.

robdowson — Mon, 14 Nov 2011 10:10:08 GMT

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

Nexus, command authorization using TACACS.

andrea.meconi — Tue, 15 Nov 2011 10:28:41 GMT

Thanks Rob.

We are receiving this authorization error

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

There is some special setting on ACS?

Regards.

Andrea

Nexus, command authorization using TACACS.

robdowson — Tue, 15 Nov 2011 11:43:43 GMT

Hi Andrea,

Hmm - odd. Not sure then - I don't believe we did anything special in our ACS to allow this to work. It was just as simple as adding the network devices - and putting them in a group. But our old ACS was very simple - essentially just one big admin group which assigned everyone full level15 access to every device - so may be worth looking at your groups and permissions etc.

Sorry I can't be any more help!

Thanks,

Rob...

Nexus, command authorization using TACACS.

andrea.meconi — Tue, 15 Nov 2011 14:08:56 GMT

Rob, for your information, we need to add a command set so all work fine.

Regards.

Andrea

Nexus, command authorization using TACACS.

Akis Costa — Thu, 29 Mar 2012 22:28:53 GMT

Can you please let me know what you did to fix your problem..I'm using the exact config and have the same issue...I will really appreciate it if you lem me know what you did...

thanx

Nexus, command authorization using TACACS.

andrea.meconi — Fri, 30 Mar 2012 07:46:27 GMT

Hello.

Using Cisco Secure ACS 4.2, we define a command set and associate it to the group.

Hope this helps.

Regards.

Andrea

Nexus, command authorization using TACACS.

Sabic Network Team — Mon, 28 Jan 2013 17:33:09 GMT

Hi Andrea. any idea how do we fix on cisco ACS 5.3 ?

Nexus, command authorization using TACACS.

andrea.meconi — Tue, 29 Jan 2013 11:25:57 GMT

Hi.

I'll work on this next month.

I believe I can create a command set under Policy Elements and associate it to a group.

Regards.

Andrea