[tac_plus] Cisco Nexus Authorization problem

Daniel Schmidt daniel.schmidt at wyo.gov
Fri Jul 17 15:40:07 UTC 2015 

Alan has a good point, even the built in roles work well on the nexus.
Side note: do_auth makes either solution easier.

On Fri, Jul 17, 2015 at 2:31 AM, Alan McKinnon <alan.mckinnon at gmail.com>
wrote:

> On 16/07/2015 23:39, Kevin.Cruse at Instinet.com wrote:
> >
> >
> > Hello
> >
> > I have configured TACPLUS to work with cisco nexus device. I am able to
> > successfully  authenticate, however, I am able to run all commands on
> > router. It seems the router is not restricted to the commands specified
> in
> > my group config. Has anyone gotten Cisco nexus to work properly with
> > tacplus? I need to limit certain users and cannot get this working
> > properly. Any help is greatly appreciated!!! Thanks.
>
> I couldn't get command auth to work properly on Nexus either. Also, my
> colleagues in NetOps assured me the command list was more complex and
> more involved and trickier for NX-OS than plain ios.
>
> Our solution was to implement the roles we needed on the Nexus itself
> and send the role as an AV pair back from the tacacs server. The
> architecture of the 5000 and 9000 we used made this simple to manage.
>
>
> >
> > Group Config:
> >
> >         group = snm {
> >                 default service = deny
> >                 service = shell {
> >                 set shell:roles="\"network-admin\""
> >                 default command = deny
> >                 default attribute = deny
> >                 set priv-lvl = 15
> >                 cmd = configure {deny .*}
> >                 cmd = clear {
> >                 permit "counters"
> >                 permit "qos stat"
> >                 permit "mls qos int"
> >                 }
> >                 cmd = disable {permit .*}
> >                 cmd = enable {permit .*}
> >                 cmd = end {permit .*}
> >                 cmd = exit {permit .*}
> >                 cmd = logout {permit .*}
> >                 cmd = ping {permit .*}
> >                 cmd = set {
> >                 permit "length 0"
> >                 }
> >                 cmd = show {
> >                 deny "controllers vip"
> >                 permit .*
> >                 }
> >                 cmd = skip-page-display {permit .*}
> >                 cmd = terminal {
> >                 permit "length 0"
> >                 }
> >                 cmd = write {
> >                 permit "network"
> >                 permit "terminal"
> >                 permit "memory"
> >                 }
> >                 }
> >         }
> >
> >
> >         user = testuser {
> >
> >                 member = snm
> >         }
> >
> >
> > Session output from router:
> >
> >  telnet labrouter
> > Trying labrouter...
> > Connected to labrouter.
> > Escape character is '^]'.
> > User Access Verification
> > login: testuser
> > Password:
> > Cisco Nexus Operating System (NX-OS) Software
> > TAC support: http://www.cisco.com/tac
> > Copyright (c) 2002-2014, Cisco Systems, Inc. All rights reserved.
> > The copyrights to certain works contained in this software are
> > owned by other third parties and used and distributed under
> > license. Certain components of this software are licensed under
> > the GNU General Public License (GPL) version 2.0 or the GNU
> > Lesser General Public License (LGPL) Version 2.1. A copy of each
> > such license is available at
> > http://www.opensource.org/licenses/gpl-2.0.php and
> > http://www.opensource.org/licenses/lgpl-2.1.php
> > LABROUTER# configure
> > <------------------------------------------------------------ This should
> > be denied
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > LABROUTER(config)# interface ethernet 1/1 configure
> > <------------------------------------------------------------ This should
> > be denied
> > LABROUTER(config-if)# shut
> > <------------------------------------------------------------ This should
> > be denied
> > LABROUTER(config-if)# no shut
> > <------------------------------------------------------------ This should
> > be denied
> > LABROUTER(config-if)# end
> > LABROUTER#
> >
> >
> =========================================================================================================
> <<<< Disclaimer >>>>   This message is intended solely for use by the named
> addressee(s). If you receive this transmission in error, please immediately
> notify the sender and destroy this message in its entirety, whether in
> electronic or hard copy format. Any unauthorized use (and reliance
> thereon), copying, disclosure, retention, or distribution of this
> transmission or the material in this transmission is forbidden. We reserve
> the right to monitor and archive electronic communications. This material
> does not constitute an offer or solicitation with respect to the purchase
> or sale of any security. It should not be construed to contain any
> recommendation regarding any security or strategy. Any views expressed are
> those of the individual sender, except where the message states otherwise
> and the sender is authorized to state them to be the views of any such
> entity. This communicat
>  i
> on is provided on an “as is” basis. It contains material that is owned by
> Instinet Incorporated, its subsidiaries or its or their licensors, and may
> not, in whole or in part, be (i) copied, photocopied or duplicated in any
> form, by any means, or (ii) redistributed, posted, published, excerpted, or
> quoted without Instinet Incorporated's prior written consent. Please access
> the following link for important information and instructions:
> http://instinet.com/includes/index.jsp?thePage=/html/le_index.txt
>  Securities products and services are provided by locally registered
> brokerage subsidiaries of Instinet Incorporated: Instinet Australia Pty
> Limited (ACN: 131 253 686 AFSL No: 327834), regulated by the Australian
> Securities & Investments Commission; Instinet Canada Limited, member
> IIROC/CIPF; Instinet Pacific Limited, authorized and regulated by the
> Securities and Futures Commission of Hong Kong; Instinet Singapore Services
> Private Limited, regulated by the Monetary Authority of Sing
>  a
> pore, trading member of The Singapore Exchange Securities Trading Private
> Limited and clearing member of The Central Depository (Pte) Limited; and
> Instinet, LLC, member SIPC.
> >
> >
> =========================================================================================================
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150716/5c309608/attachment.html
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/tac_plus
> >
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150717/35326544/attachment.html>

More information about the tac_plus mailing list