10-16-2019 05:23 AM - edited 02-21-2020 11:11 AM
Hi
I am working on implementing Cisco ISE as our Tacacs+ server in our company.
We have a mixed infrastructure with both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices.
Right now, I am working on building the Policy Sets and belonging Tacacs Shell Profiles.
In my Tacacs shell profile (Privilige 15) I have configured a custom attribute for Cisco IOS-XR Taskgroup:
Type | Name | Value |
MANDATORY | task | rwx:,#operator |
Raw Profile Attributes:
priv-lvl=15
task=rwx:,#operator
When I use this Tacacs shell profile for Cisco IOS-XR devices it works great, but when I use the same Tacacs shell profile for Cisco IOS or Cisco IOS-XE devices it does not work.
For the Cisco IOS and Cisco IOS-XE devices the Tacacs login fails with error message: % Authorization failed
In the debug messages it say:
TPLUS: Processing the reply packet
TPLUS: Processed AV priv-lvl=15
TPLUS: Failed to decode unknown AV task=rwx:,#operator - FAIL
AAA/AUTHOR/EXEC(0000017D): Authorization FAILED
I then removed the custom attribute (taskgroup) from the Tacacs shell profile and then it works with Cisco IOS and Cisco IOS-XE – but of course not on Cisco IOS-XR devices.
It looks like the Cisco IOS and Cisco IOS-XE devices not understand and not ignore the included custom attribute in the Tacacs reply.
I want to hear if anyone have experience with using the same Tacacs shell profile for both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices?
Any idea?
Thanks in advance.
Solved! Go to Solution.
01-31-2020 10:31 AM
IOS and IOS-XE can work with similar shell profiles. IOS-XR and NXOS are different beasts.
Either use a seperate shell profile for IOS-XR, NXOS and IOS/IOS-XE if using a mandatory attribute, or simply make these attributes optional. My suggestion is to split the shell profiles to different groups with a mandatory attribute if you want to keep the tacacs authentication secure.
01-31-2020 10:31 AM
IOS and IOS-XE can work with similar shell profiles. IOS-XR and NXOS are different beasts.
Either use a seperate shell profile for IOS-XR, NXOS and IOS/IOS-XE if using a mandatory attribute, or simply make these attributes optional. My suggestion is to split the shell profiles to different groups with a mandatory attribute if you want to keep the tacacs authentication secure.
01-31-2020 04:43 PM
@Nadav is correct. Different platforms have different underlying operating systems and/or features that may require different VSAs that other platforms may not understand (for example, NX-OS Virtual Device Contexts).
A common approach is to group similar devices into Network Device Groups (NDGs) and use those NDGs as matching conditions to create separate Policy Sets and/or Authorization Policies with the relevant Shell Profiles and/or Command Sets.
Cheers,
Greg
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: