Solved: AAA tacacs config translation:IOS to NX-OS

miclacs13 · ‎06-19-2013

Hi NetPro,

I am running into this challenge to convert IOS AAA configuration into an NX-OS equivalent. I have a couple of book but id doesn't help much in what I am doing. Perhaps, the NX-OS experts here would be able to give me a hand in the config translation.

IOS AAA config lines are below:

tacacs-server host x.x.x.x

tacacs-server host y.y.y.y

tacacs-server directed-request

tacacs-server key 7 wwwwwwwwwww

!

enable secret 5 zzzzzzzz

username netadmin privilege 15 password 7 aaaaaaaaaa

aaa new-model

aaa authentication username-prompt Local-username:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Thanks in advance!

Michael

Jatin Katyal · ‎07-07-2013

Here is what you need to configure on nexus for enabling Tacacs+

Enable TACACS+, then provide the IP address of the TACACS+ Server (ACS):

feature tacacs+

tacacs−server host x.x.x.x

tacacs-server host y.y.y.y

tacacs−server directed−request

tacacs−server key 7 KEY

aaa group server tacacs+ ACS

server x.x.x.x

server y.y.y.y

use−vrf management ( only if configured)

source−interface mgmt0 ( should be defined on the ACS as well)

>> You can test the authentication with the below listed command:

test aaa group ACS username password

If you see authentication REJECT OR SUCCESSFUL then that would mean it's reachable.

Configure login authentications:

aaa authentication login default group ACS

aaa authentication login console group ACS

aaa accounting default group ACS

Nexus by-default supports role-based-access that is somehow servers the pupose of authorization. Here is an example that you may go through- https://supportforums.cisco.com/docs/DOC-14273

In case you'd like to use command authorization, like you have setup for IOS then please use the below listed commands:

This example shows how to authorize EXEC mode commands with TACACS+ server group tac1

switch# aaa authorization commands default group ACS

This example shows how to authorize configuration mode commands with TACACS+ server group tac1

If the server is reachable, the command is allowed or not allowed based on the server response.
If there is an error reaching the server, the command is authorized based on the user's local role.

switch(config)# aaa authorization config-commands default group ACS local

NOTE: Since this part involves command authorization, I would suggest you to test the config in TEST enviornment before you implement in production to avoild lockout issues.

Nexus Guide check here

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-07-2013

Here is what you need to configure on nexus for enabling Tacacs+

Enable TACACS+, then provide the IP address of the TACACS+ Server (ACS):

feature tacacs+

tacacs−server host x.x.x.x

tacacs-server host y.y.y.y

tacacs−server directed−request

tacacs−server key 7 KEY

aaa group server tacacs+ ACS

server x.x.x.x

server y.y.y.y

use−vrf management ( only if configured)

source−interface mgmt0 ( should be defined on the ACS as well)

>> You can test the authentication with the below listed command:

test aaa group ACS username password

If you see authentication REJECT OR SUCCESSFUL then that would mean it's reachable.

Configure login authentications:

aaa authentication login default group ACS

aaa authentication login console group ACS

aaa accounting default group ACS

Nexus by-default supports role-based-access that is somehow servers the pupose of authorization. Here is an example that you may go through- https://supportforums.cisco.com/docs/DOC-14273

In case you'd like to use command authorization, like you have setup for IOS then please use the below listed commands:

This example shows how to authorize EXEC mode commands with TACACS+ server group tac1

switch# aaa authorization commands default group ACS

This example shows how to authorize configuration mode commands with TACACS+ server group tac1

If the server is reachable, the command is allowed or not allowed based on the server response.
If there is an error reaching the server, the command is authorized based on the user's local role.

switch(config)# aaa authorization config-commands default group ACS local

NOTE: Since this part involves command authorization, I would suggest you to test the config in TEST enviornment before you implement in production to avoild lockout issues.

Nexus Guide check here

Hope it helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

miclacs13 · ‎07-09-2013

Thanks, Jatin!

It is great to know that I was able to compile pretty much the same configuration like what you laid out.

Many thanks!

Mike

inceching · ‎02-12-2014

Hi Jatin,

What I need to configure on my Nexus 5548UP with the IOS commands below as the Cisco IOS-NXOS conversion tool shown many error messages of "No Mapping". Thanks.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

tacacs-server host XXXXX

tacacs-server timeout 10

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXXXXXX

radius-server source-ports 1645-1646

Best Regards,

Ho