Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
3
Replies

TACACS and IOS/IOSxe/ and NX-OS

nygenxny123
Level 1
Level 1

‎02-19-2015 07:50 AM - edited ‎03-10-2019 10:28 PM

In our enviroment TACACS+ on TACACS.net

We also have IOS/IOSxe/ and NX-OS platforms.

 

 

My question is...from a configuration standpoint on a TACACS server..be it ACS or anything else..

Would the database configuration be any different?.. Ultimately I would like to have one group on the server

itself..and be able to add devices to it..Not have 3 different groups...etc
 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎02-19-2015 05:33 PM

You would have to elaborate a bit more on what you mean by "groups" and your environment, needs, requirements, etc. 

In general, IOS and IOS xe would have very similar configuration syntax and both would accept "privilege level" assignment and command authorization sets. NX-OS, however, is different and it does not use "privilege-levels." Instead, you will have to push a "role" in the authorization policy.

Check out the following links for more info:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_0110.html...

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-cfg-tacacs.html

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

nygenxny123
Level 1
Level 1
In response to nspasov

‎02-20-2015 02:18 PM

thanks for the reply,

In our TACACS.net server we have a client group of NxOS devices for a group named

network_admins_for_NX...with the following permissions

 

-<UserGroups>

<UserGroup></UserGroup>

</UserGroups>

-<AutoExec>

<Set>cisco-av-pair*shell:roles="network-admin vdc-admin"</Set>

</AutoExec>


-<Shell>

<Permit>.*</Permit>

</Shell>

<Services> </Services>

</Authorization>

 

But we also have another client group of IOS and IOSxe associated with a user group,network_administration

<UserGroups>

<UserGroup>network_administration</UserGroup>

</UserGroups>

<ClientGroups>

<ClientGroup>IOS_D</ClientGroup>

<ClientGroup>IOS_XE_D</ClientGroup>

<ClientGroup>IOS_D_101</ClientGroup>

</ClientGroups>


-<AutoExec>

<Set>priv-lvl=15</Set>

</AutoExec>


-<Shell>

<Permit>configure</Permit>

<Permit>show running-config</Permit>

<Permit>enable</Permit>

<Permit>.*show.*</Permit>

<Permit>.*</Permit>

</Shell>

<Services> </Services>

</Authorization>

 

ideally I would just like to have 1 client group and 1 user group to ease management, since they are the same people in both user groups managing all the devices

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to nygenxny123

‎02-24-2015 05:22 AM

I am not familiar with your particular flavor of TACACS+ but in ACS you can have:

- One user group: For example: Network_Admins

- Two NAD Groups: One for NX-OS Devices and one for IOS Devices

- Two Authorization Profiles: One for NX-OS based admins and one for IOS based admins

- Two authorization rules: 

1. Matching against: User Group: Network_Admins and the NAD group of NX-OS  and returning Authorization Profile for NX-OS Admins which would contain the "role"

2. Matching against: User Group: Network_Admins and the NAD group of IOS and returning Authorization Profile for IOS Admins which would contain the "priv-level 15"

 

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents