 
					
				
		
11-06-2011 09:45 AM - edited 03-10-2019 06:31 PM
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
Andrea
Solved! Go to Solution.
11-14-2011 02:10 AM
Hi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password 
feature tacacs+ ; enable the tacacs feature
tacacs-server host 
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server 
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob...
11-14-2011 02:10 AM
Hi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password 
feature tacacs+ ; enable the tacacs feature
tacacs-server host 
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server 
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob...
11-15-2011 02:28 AM
Thanks Rob.
We are receiving this authorization error
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
There is some special setting on ACS?
Regards.
Andrea
11-15-2011 03:43 AM
Hi Andrea,
Hmm - odd. Not sure then - I don't believe we did anything special in our ACS to allow this to work. It was just as simple as adding the network devices - and putting them in a group. But our old ACS was very simple - essentially just one big admin group which assigned everyone full level15 access to every device - so may be worth looking at your groups and permissions etc.
Sorry I can't be any more help!
Thanks,
Rob...
11-15-2011 06:08 AM
Rob, for your information, we need to add a command set so all work fine.
Regards.
Andrea
03-29-2012 03:28 PM
Can you please let me know what you did to fix your problem..I'm using the exact config and have the same issue...I will really appreciate it if you lem me know what you did...
thanx
03-30-2012 12:46 AM
Hello.
Using Cisco Secure ACS 4.2, we define a command set and associate it to the group.
Hope this helps.
Regards.
Andrea
01-28-2013 09:33 AM
Hi Andrea. any idea how do we fix on cisco ACS 5.3 ?
01-29-2013 03:25 AM
Hi.
I'll work on this next month.
I believe I can create a command set under Policy Elements and associate it to a group.
Regards.
Andrea
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide