06-19-2013 12:18 PM - edited 03-10-2019 08:33 PM
Hi NetPro,
I am running into this challenge to convert IOS AAA configuration into an NX-OS equivalent. I have a couple of book but id doesn't help much in what I am doing. Perhaps, the NX-OS experts here would be able to give me a hand in the config translation.
IOS AAA config lines are below:
tacacs-server host x.x.x.x
tacacs-server host y.y.y.y
tacacs-server directed-request
tacacs-server key 7 wwwwwwwwwww
!
enable secret 5 zzzzzzzz
username netadmin privilege 15 password 7 aaaaaaaaaa
aaa new-model
aaa authentication username-prompt Local-username:
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Thanks in advance!
Michael
Solved! Go to Solution.
07-07-2013 07:32 AM
Here is what you need to configure on nexus for enabling Tacacs+
Enable TACACS+, then provide the IP address of the TACACS+ Server (ACS):
feature tacacs+
tacacs−server host x.x.x.x
tacacs-server host y.y.y.y
tacacs−server directed−request
tacacs−server key 7 KEY
aaa group server tacacs+ ACS
server x.x.x.x
server y.y.y.y
use−vrf management ( only if configured)
source−interface mgmt0 ( should be defined on the ACS as well)
>> You can test the authentication with the below listed command:
test aaa group ACS username password
If you see authentication REJECT OR SUCCESSFUL then that would mean it's reachable.
Configure login authentications:
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
Nexus by-default supports role-based-access that is somehow servers the pupose of authorization. Here is an example that you may go through- https://supportforums.cisco.com/docs/DOC-14273
In case you'd like to use command authorization, like you have setup for IOS then please use the below listed commands:
This example shows how to authorize EXEC mode commands with TACACS+ server group tac1
switch# aaa authorization commands default group ACS
This example shows how to authorize configuration mode commands with TACACS+ server group tac1
If the server is reachable, the command is allowed or not allowed based on the server response.
If there is an error reaching the server, the command is authorized based on the user's local role.
switch(config)# aaa authorization config-commands default group ACS local
NOTE: Since this part involves command authorization, I would suggest you to test the config in TEST enviornment before you implement in production to avoild lockout issues.
Nexus Guide check here
Hope it helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-07-2013 07:32 AM
Here is what you need to configure on nexus for enabling Tacacs+
Enable TACACS+, then provide the IP address of the TACACS+ Server (ACS):
feature tacacs+
tacacs−server host x.x.x.x
tacacs-server host y.y.y.y
tacacs−server directed−request
tacacs−server key 7 KEY
aaa group server tacacs+ ACS
server x.x.x.x
server y.y.y.y
use−vrf management ( only if configured)
source−interface mgmt0 ( should be defined on the ACS as well)
>> You can test the authentication with the below listed command:
test aaa group ACS username password
If you see authentication REJECT OR SUCCESSFUL then that would mean it's reachable.
Configure login authentications:
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
Nexus by-default supports role-based-access that is somehow servers the pupose of authorization. Here is an example that you may go through- https://supportforums.cisco.com/docs/DOC-14273
In case you'd like to use command authorization, like you have setup for IOS then please use the below listed commands:
This example shows how to authorize EXEC mode commands with TACACS+ server group tac1
switch# aaa authorization commands default group ACS
This example shows how to authorize configuration mode commands with TACACS+ server group tac1
If the server is reachable, the command is allowed or not allowed based on the server response.
If there is an error reaching the server, the command is authorized based on the user's local role.
switch(config)# aaa authorization config-commands default group ACS local
NOTE: Since this part involves command authorization, I would suggest you to test the config in TEST enviornment before you implement in production to avoild lockout issues.
Nexus Guide check here
Hope it helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-09-2013 08:42 AM
Thanks, Jatin!
It is great to know that I was able to compile pretty much the same configuration like what you laid out.
Many thanks!
Mike
02-12-2014 07:07 PM
Hi Jatin,
What I need to configure on my Nexus 5548UP with the IOS commands below as the Cisco IOS-NXOS conversion tool shown many error messages of "No Mapping". Thanks.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
tacacs-server host XXXXX
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 XXXXXXXXXXXXXXXX
radius-server source-ports 1645-1646
Best Regards,
Ho
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide