For all of you that are using tacacs+ for AAA, if you want to assign admin privileges and permissions to your users, this is the configuration that has worked for me regarding a variety of Cisco devices:
IOS
user = username { default service = permit service = exec { priv-lvl=15 } }
IOS-XR
user = username { default service = permit service = exec { optional task="#root-system" } }
NX-OS
user = username { default service = permit service = exec { optional shell:roles="network-admin" } }
Notes:
1) The above tacacs+ configuration is not the full one; it's just the parts that define the "admin" level for specific users.
2) The "optional" keyword in IOS-XR and NX-OS is used in order to make devices that do not understand these attributes simply ignore them.
If you also want to restrict users to specific commands, then you can use something like the following:
user = username { default service = deny cmd = terminal { permit length.* permit width.* } cmd = show { permit radius.statistics permit interface.* permit ip.interface.* } cmd = clear { permit radius.statistics } }
Generally, command authorization is configured by specifying a list of egrep-style regular expressions to match command arguments and an action which is "deny" or "permit".
Note: Command authorization must have been enabled in your router configuration too. Also some commands (i.e. "clear") might need to have their privilege level changed.
The above configurations are from the freeware tacacs+ server, which has been heavily modified in order to suit our needs. Nevertheless, i believe they can apply to other versions too.
this need to be enabled in router.
ReplyDeleteHave a question how would you configure it if you need a user to user an IOS-XR and regualar IOS device.
ReplyDeleteDear Tassos
ReplyDeleteCan you just help me on one thing ?
When I log in to ASR Router ( IOS XR 4.3.1 ) then it logins directly to privilege mode. I mean # mode .
I just want to login first to User Exec mode then if I require I want to login to Privilege Mode.
Please suggest.