08-30-2012 07:29 PM
Hi guys, we opened a TAC case recently and TAC engineer asked us to issue a few commands in ASR to collect the info. But some commands need 'cisco-support' privilege and we need to add 'cisco-support' privilege into TACACS. Anyone could how me how to add it in TACACS and ASR?
Thanks. Leo
Solved! Go to Solution.
09-03-2012 11:44 PM
Hi Leo,
A local user database would be used only in a case when your tacacs server is down and used as a backup access. Under normal working conditions a user with root privileges should be defined on the tacacs server.
Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.
Regards,
/A
08-31-2012 12:05 AM
09-03-2012 06:48 PM
Hi Alex,
I am trying to add cisco-support privilege to one local user to test, but the authentication was failed when I tried to login with console or ssh. The vesion is 4.2.0 and following is the aaa config. Am I missing anything? Thanks.
username test
group root-system
group cisco-support
password 7 070E315C420C485744
!
aaa accounting exec secure start-stop group AAA
aaa accounting exec console start-stop group AAA none
aaa accounting commands secure start-stop group AAA
aaa accounting commands console start-stop group AAA none
aaa group server tacacs+ AAA
server a.a.a.a
server b.b.b.b
!
aaa authorization exec secure group AAA local
aaa authorization exec console group AAA local
aaa authorization exec default none
aaa authorization commands secure group AAA
aaa authorization commands console group AAA none
aaa authorization commands default none
aaa authorization eventmanager default local
aaa authentication login secure group AAA local
aaa authentication login console group AAA local
aaa authentication login default local
aaa authentication login eventmanager local
Regards, Leo
09-03-2012 11:44 PM
Hi Leo,
A local user database would be used only in a case when your tacacs server is down and used as a backup access. Under normal working conditions a user with root privileges should be defined on the tacacs server.
Otherwise, for testing your local user, bring the tacacs down and verify if you can login with local “test” user.
Regards,
/A
09-04-2012 04:34 PM
Thanks Alex, I had found this answer in ASR9k config document. Anyway, appreciated your reply.
Regards, Leo
09-04-2012 07:28 PM
Hi Alex, one more question, what could be the risk if one account get the cisco-support privilege, say some show commands could impact the ASR performance? I am thinking if we should add this privilege to every team members or should create a generic account can be used when they need. What is the best practics from your side?
Thanks. Leo
09-04-2012 11:53 PM
Hi Leo,
My recommendation would be to enable cisco-support group for your engineers. It is extremely frustrating for everybody to find out that we can not run some commands during a network down situation.
We have a TAC request as well to merge root and cisco-support together as we don’t see much added value of having them separated.
Regards,
/A
09-05-2012 05:27 PM
Thanks Alex.
09-11-2012 08:09 PM
Hi Alex, sorry to bother, I am trying to add the 'cisco-support' in TACACS for everyone.We are running ACS 5.1.0.44.3, but I couldn't find any documents show how to do that. Could you please help confirm if my following steps are correct? Should the requirement be the mandatory? Where can I find any doc can explain the value setting? Thanks.
In ACS GUI, Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles -> View: "Shell Profile Priv. Level 15'' -> Go to Custom Attributes tag
Attribute: Cisco support
Requirement: Mandatory
Value: task="# root-system, # cisco-support"
Regards, Leo
09-11-2012 11:57 PM
Sorry, i don’t have ASC to verify it but have a snapshot from a past.
In this example we use priv13
XR config:
!
usergroup priv13 <--------- This is mapped to Privilege 13 on ACS (Cisco group)
taskgroup root-system
taskgroup cisco-support
!
In ASC Check on cisco-av-pair
Enter text “shell:priv-lvl” to define privilege group for the group
===========================================
"shell:priv-lvl=13”
"shell:tasks*=#root-system,#cisco-support”
===========================================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide