cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
5
Helpful
2
Replies

console authorization on Nexus 7000 switch not working

baghimir
Level 1
Level 1

Hi,

I'm trying to enable command authorization for ssh as  well as console access to a Nexus 7010 box (version 5.0). Following is  the config:

aaa group server tacacs+ ACS5-1

    server 10.12.19.11

    server 10.12.19.12

    source-interface loopback0

snmp-server enable traps aaa server-state-change

aaa authentication login default group ACS5-1 local

aaa authorization config-commands default group ACS5-1 local

aaa authorization commands default group ACS5-1 local

NX# sh aaa authentication

         default: group ACS5-1

         console: group ACS5-1

NX#

NX# show aaa authorization

         pki-ssh-cert: local

         pki-ssh-pubkey: local

AAA command authorization:

         default authorization for config-commands: group ACS5-1 local

         default authorization for commands: group ACS5-1 local

As  you can see, the default group configuration ACS5-1 for authenticatoin  has applied to both defaults and console. But the command authorization  does not appear to be applied to the console. As a result, when i login  from the console and get authenticated, the command authorization does  not trigger and i can run commands I'm not supposed to. In the  configuration, I do not see "aaa authorization console" option unlike we  have in IOS.

Anything i'm missing ? please help.

2 Replies 2

phiharri
Level 1
Level 1

Hey Badri,

Check the documentation:

"For Cisco NX-OS Releases 4.x and 5.x, command authorization is available only for non-console sessions."

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html

Command authorization for console sessions is coming in NX-OS 6.x.

Hope this helps,

/Phil

Hi baghimir

have you resolved this issue yet  ? as I had similar issue like you , but I cannot get the local user pass for authentication via by console interface .

we're running 5.1(3)  , do you think it was bugs on this version ?

Thanks

Justin

Review Cisco Networking for a $25 gift card