<div dir="ltr">Alan has a good point, even the built in roles work well on the nexus. Side note: do_auth makes either solution easier. </div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 17, 2015 at 2:31 AM, Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com" target="_blank">alan.mckinnon@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 16/07/2015 23:39, Kevin.Cruse@Instinet.com wrote:<br>
><br>
><br>
> Hello<br>
><br>
> I have configured TACPLUS to work with cisco nexus device. I am able to<br>
> successfully authenticate, however, I am able to run all commands on<br>
> router. It seems the router is not restricted to the commands specified in<br>
> my group config. Has anyone gotten Cisco nexus to work properly with<br>
> tacplus? I need to limit certain users and cannot get this working<br>
> properly. Any help is greatly appreciated!!! Thanks.<br>
<br>
</span>I couldn't get command auth to work properly on Nexus either. Also, my<br>
colleagues in NetOps assured me the command list was more complex and<br>
more involved and trickier for NX-OS than plain ios.<br>
<br>
Our solution was to implement the roles we needed on the Nexus itself<br>
and send the role as an AV pair back from the tacacs server. The<br>
architecture of the 5000 and 9000 we used made this simple to manage.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
><br>
> Group Config:<br>
><br>
> group = snm {<br>
> default service = deny<br>
> service = shell {<br>
> set shell:roles="\"network-admin\""<br>
> default command = deny<br>
> default attribute = deny<br>
> set priv-lvl = 15<br>
> cmd = configure {deny .*}<br>
> cmd = clear {<br>
> permit "counters"<br>
> permit "qos stat"<br>
> permit "mls qos int"<br>
> }<br>
> cmd = disable {permit .*}<br>
> cmd = enable {permit .*}<br>
> cmd = end {permit .*}<br>
> cmd = exit {permit .*}<br>
> cmd = logout {permit .*}<br>
> cmd = ping {permit .*}<br>
> cmd = set {<br>
> permit "length 0"<br>
> }<br>
> cmd = show {<br>
> deny "controllers vip"<br>
> permit .*<br>
> }<br>
> cmd = skip-page-display {permit .*}<br>
> cmd = terminal {<br>
> permit "length 0"<br>
> }<br>
> cmd = write {<br>
> permit "network"<br>
> permit "terminal"<br>
> permit "memory"<br>
> }<br>
> }<br>
> }<br>
><br>
><br>
> user = testuser {<br>
><br>
> member = snm<br>
> }<br>
><br>
><br>
> Session output from router:<br>
><br>
> telnet labrouter<br>
> Trying labrouter...<br>
> Connected to labrouter.<br>
> Escape character is '^]'.<br>
> User Access Verification<br>
> login: testuser<br>
> Password:<br>
> Cisco Nexus Operating System (NX-OS) Software<br>
> TAC support: <a href="http://www.cisco.com/tac" rel="noreferrer" target="_blank">http://www.cisco.com/tac</a><br>
> Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.<br>
> The copyrights to certain works contained in this software are<br>
> owned by other third parties and used and distributed under<br>
> license. Certain components of this software are licensed under<br>
> the GNU General Public License (GPL) version 2.0 or the GNU<br>
> Lesser General Public License (LGPL) Version 2.1. A copy of each<br>
> such license is available at<br>
> <a href="http://www.opensource.org/licenses/gpl-2.0.php" rel="noreferrer" target="_blank">http://www.opensource.org/licenses/gpl-2.0.php</a> and<br>
> <a href="http://www.opensource.org/licenses/lgpl-2.1.php" rel="noreferrer" target="_blank">http://www.opensource.org/licenses/lgpl-2.1.php</a><br>
> LABROUTER# configure<br>
> <------------------------------------------------------------ This should<br>
> be denied<br>
> Enter configuration commands, one per line. End with CNTL/Z.<br>
> LABROUTER(config)# interface ethernet 1/1 configure<br>
> <------------------------------------------------------------ This should<br>
> be denied<br>
> LABROUTER(config-if)# shut<br>
> <------------------------------------------------------------ This should<br>
> be denied<br>
> LABROUTER(config-if)# no shut<br>
> <------------------------------------------------------------ This should<br>
> be denied<br>
> LABROUTER(config-if)# end<br>
> LABROUTER#<br>
><br>
> ========================================================================================================= <<<< Disclaimer >>>> This message is intended solely for use by the named addressee(s). If you receive this transmission in error, please immediately notify the sender and destroy this message in its entirety, whether in electronic or hard copy format. Any unauthorized use (and reliance thereon), copying, disclosure, retention, or distribution of this transmission or the material in this transmission is forbidden. We reserve the right to monitor and archive electronic communications. This material does not constitute an offer or solicitation with respect to the purchase or sale of any security. It should not be construed to contain any recommendation regarding any security or strategy. Any views expressed are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. This communicat<br>
i<br>
on is provided on an “as is” basis. It contains material that is owned by Instinet Incorporated, its subsidiaries or its or their licensors, and may not, in whole or in part, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) redistributed, posted, published, excerpted, or quoted without Instinet Incorporated's prior written consent. Please access the following link for important information and instructions: <a href="http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt" rel="noreferrer" target="_blank">http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt</a> Securities products and services are provided by locally registered brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian Securities & Investments Commission; Instinet Canada Limited, member IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the Securities and Futures Commission of Hong Kong; Instinet Singapore Services Private Limited, regulated by the Monetary Authority of Sing<br>
a<br>
pore, trading member of The Singapore Exchange Securities Trading Private Limited and clearing member of The Central Depository (Pte) Limited; and Instinet, LLC, member SIPC.<br>
><br>
> =========================================================================================================<br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html" rel="noreferrer" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html</a>><br>
> _______________________________________________<br>
> tac_plus mailing list<br>
> <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> <a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
><br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Alan McKinnon<br>
<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" rel="noreferrer" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div></div></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>