Privilege Level for Tacacs Account in Nexus 7000

qasey_shiz · ‎09-02-2013

Hi,

I have configured the Tacacs (ACS 4.2v) on Nexus 7000 (as mentioned below) and works fine but unlike IOS (6509) It's doesn't prompt that you are in userexec mode (>) and then need to type enable and password for full privilege.

In n7k when I entered into "configure terminal" It won't allow me to access other commands.

How to login into level 15 privilege mode after authenticating from tacacs

(config)# show running-config tacacs+

tacacs-server key 7 "xxxxx"

tacacs-server host x.x.x.x key 7 "xxxx"

aaa group server tacacs+ TacServer

server x.x.x.x (same ip as tacacs-server host)

use-vrf management

source-interface Vlan2

(config)# show running-config aaa

aaa authentication login default group TacServer

aaa authentication login console local

aaa user default-role

Here below are the commands accessible in "Terminal" currently

(config)# ?

no Negate a command or set its defaults

username Configure user information.

end Go to exec mode

exit Exit from command interpreter

isb.n7k-dcn-agg-1-sw(config)#

This document was generated from the following discussion: Privilege Level for Tacacs Account in Nexus 7000

qasey_shiz · ‎09-02-2013

Hi,

After scratching my head found the resolution, Need to configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"