cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
983
Views
0
Helpful
3
Replies

TACACS and IOS/IOSxe/ and NX-OS

nygenxny123
Level 1
Level 1

In our enviroment TACACS+ on TACACS.net

We also have IOS/IOSxe/ and NX-OS platforms.

 

 

My question is...from a configuration standpoint on a TACACS server..be it ACS or anything else..

Would the database configuration be any different?.. Ultimately I would like to have one group on the server

itself..and be able to add devices to it..Not have 3 different groups...etc
 

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

You would have to elaborate a bit more on what you mean by "groups" and your environment, needs, requirements, etc. 

In general, IOS and IOS xe would have very similar configuration syntax and both would accept "privilege level" assignment and command authorization sets. NX-OS, however, is different and it does not use "privilege-levels." Instead, you will have to push a "role" in the authorization policy.

Check out the following links for more info:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_0110.html...

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-cfg-tacacs.html

I hope this helps!

 

Thank you for rating helpful posts!

thanks for the reply,

In our TACACS.net server we have a client group of NxOS devices for a group named

network_admins_for_NX...with the following permissions

 

-<UserGroups>

<UserGroup></UserGroup>

</UserGroups>

-<AutoExec>

<Set>cisco-av-pair*shell:roles="network-admin vdc-admin"</Set>

</AutoExec>


-<Shell>

<Permit>.*</Permit>

</Shell>

<Services> </Services>

</Authorization>

 

But we also have another client group of IOS and IOSxe associated with a user group,network_administration

<UserGroups>

<UserGroup>network_administration</UserGroup>

</UserGroups>

<ClientGroups>

<ClientGroup>IOS_D</ClientGroup>

<ClientGroup>IOS_XE_D</ClientGroup>

<ClientGroup>IOS_D_101</ClientGroup>

</ClientGroups>


-<AutoExec>

<Set>priv-lvl=15</Set>

</AutoExec>


-<Shell>

<Permit>configure</Permit>

<Permit>show running-config</Permit>

<Permit>enable</Permit>

<Permit>.*show.*</Permit>

<Permit>.*</Permit>

</Shell>

<Services> </Services>

</Authorization>

 

ideally I would just like to have 1 client group and 1 user group to ease management, since they are the same people in both user groups managing all the devices

 

I am not familiar with your particular flavor of TACACS+ but in ACS you can have:

- One user group: For example: Network_Admins

- Two NAD Groups: One for NX-OS Devices and one for IOS Devices

- Two Authorization Profiles: One for NX-OS based admins and one for IOS based admins

- Two authorization rules: 

1. Matching against: User Group: Network_Admins and the NAD group of NX-OS  and returning Authorization Profile for NX-OS Admins which would contain the "role"

2. Matching against: User Group: Network_Admins and the NAD group of IOS and returning Authorization Profile for IOS Admins which would contain the "priv-level 15"

 

Thank you for rating helpful posts!