11-30-2011 04:50 PM - edited 03-07-2019 03:40 AM
Hi,
I'm trying to enable command authorization for ssh as well as console access to a Nexus 7010 box (version 5.0). Following is the config:
aaa group server tacacs+ ACS5-1
server 10.12.19.11
server 10.12.19.12
source-interface loopback0
snmp-server enable traps aaa server-state-change
aaa authentication login default group ACS5-1 local
aaa authorization config-commands default group ACS5-1 local
aaa authorization commands default group ACS5-1 local
NX# sh aaa authentication
default: group ACS5-1
console: group ACS5-1
NX#
NX# show aaa authorization
pki-ssh-cert: local
pki-ssh-pubkey: local
AAA command authorization:
default authorization for config-commands: group ACS5-1 local
default authorization for commands: group ACS5-1 local
As you can see, the default group configuration ACS5-1 for authenticatoin has applied to both defaults and console. But the command authorization does not appear to be applied to the console. As a result, when i login from the console and get authenticated, the command authorization does not trigger and i can run commands I'm not supposed to. In the configuration, I do not see "aaa authorization console" option unlike we have in IOS.
Anything i'm missing ? please help.
12-01-2011 06:35 AM
Hey Badri,
Check the documentation:
"For Cisco NX-OS Releases 4.x and 5.x, command authorization is available only for non-console sessions."
Command authorization for console sessions is coming in NX-OS 6.x.
Hope this helps,
/Phil
04-29-2013 07:30 AM
Hi baghimir
have you resolved this issue yet ? as I had similar issue like you , but I cannot get the local user pass for authentication via by console interface .
we're running 5.1(3) , do you think it was bugs on this version ?
Thanks
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide