Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2675
Views
5
Helpful
2
Replies

Tacacs+ Shell Profiles for both IOS, IOS-XE and IOS-XR

Go to solution
AlexRasmussen
Level 1
Level 1

‎10-16-2019 05:23 AM - edited ‎02-21-2020 11:11 AM

Hi

 

I am working on implementing Cisco ISE as our Tacacs+ server in our company.

 

We have a mixed infrastructure with both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices.

 

Right now, I am working on building the Policy Sets and belonging Tacacs Shell Profiles.

 

In my Tacacs shell profile (Privilige 15) I have configured a custom attribute for Cisco IOS-XR Taskgroup:

Type

Name

Value

MANDATORY

task

rwx:,#operator

 

Raw Profile Attributes:

priv-lvl=15

task=rwx:,#operator

 

When I use this Tacacs shell profile for Cisco IOS-XR devices it works great, but when I use the same Tacacs shell profile for Cisco IOS or Cisco IOS-XE devices it does not work.

 

For the Cisco IOS and Cisco IOS-XE devices the Tacacs login fails with error message: % Authorization failed

 

In the debug messages it say:

TPLUS: Processing the reply packet

TPLUS: Processed AV priv-lvl=15

TPLUS: Failed to decode unknown AV task=rwx:,#operator - FAIL

AAA/AUTHOR/EXEC(0000017D): Authorization FAILED

 

I then removed the custom attribute (taskgroup) from the Tacacs shell profile and then it works with Cisco IOS and Cisco IOS-XE – but of course not on Cisco IOS-XR devices.

 

It looks like the Cisco IOS and Cisco IOS-XE devices not understand and not ignore the included custom attribute in the Tacacs reply.

 

I want to hear if anyone have experience with using the same Tacacs shell profile for both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices?

 

Any idea?

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7

‎01-31-2020 10:31 AM

IOS and IOS-XE can work with similar shell profiles. IOS-XR and NXOS are different beasts.

 

Either use a seperate shell profile for IOS-XR, NXOS and IOS/IOS-XE if using a mandatory attribute, or simply make these attributes optional. My suggestion is to split the shell profiles to different groups with a mandatory attribute if you want to keep the tacacs authentication secure. 

 

View solution in original post

2 Replies 2

Go to solution
Nadav
Level 7
Level 7

‎01-31-2020 10:31 AM

IOS and IOS-XE can work with similar shell profiles. IOS-XR and NXOS are different beasts.

 

Either use a seperate shell profile for IOS-XR, NXOS and IOS/IOS-XE if using a mandatory attribute, or simply make these attributes optional. My suggestion is to split the shell profiles to different groups with a mandatory attribute if you want to keep the tacacs authentication secure. 

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Nadav

‎01-31-2020 04:43 PM

@Nadav is correct. Different platforms have different underlying operating systems and/or features that may require different VSAs that other platforms may not understand (for example, NX-OS Virtual Device Contexts).

A common approach is to group similar devices into Network Device Groups (NDGs) and use those NDGs as matching conditions to create separate Policy Sets and/or Authorization Policies with the relevant Shell Profiles and/or Command Sets.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents