Re: AAA TACACS help on Nexus9k

RyanPowers9691 · ‎05-04-2023

On cisco 93180 n9k - How can I configure aaa authentication using ISE TACACS while giving that user access to all exec commands on the device? My current configuration looks to TACACS for authorization of commands but I just want to configure the device to give any TACACS authenticated user full exec privileges.

current configuration:
aaa authentication login default group TACACS_LIST local
aaa authorization commands default group TACACS_LIST local

I tried setting the authorization command to default local but then it just takes away all permissions for anyone authenticated through TACACS.

M02@rt37 · ‎05-04-2023

Hello @RyanPowers9691,

The "aaa authorization exec" command authorizes users for all EXEC sessions after they have been successfully authenticated through TACACS+. The "if-authenticated" keyword allows any user authenticated by TACACS+ to execute any EXEC command on the device.

Note that this configuration only provides authorization for EXEC sessions. If you also want to provide authorization for configuration changes, you should use the "aaa authorization config-commands" command instead of "aaa authorization exec".

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

RyanPowers9691 · ‎05-08-2023

none of the following commands are present on the nxos device:

aaa authorization exec
aaa authorization config-commands
if-authenticated

MHM Cisco World · ‎05-08-2023

I think M02@rt37 meaning here
for all exec command
aaa authorization commands {console | default } {group group-list [ local ] | local}

for config-t command
aaa authorization config-commands {console | default } {group group-list [ local ] | local}

sorry, there is no if-auth with authz in NX-OS