Saturday, October 9, 2010

Admin privileges in IOS, IOS-XR, NX-OS

For all of you that are using tacacs+ for AAA, if you want to assign admin privileges and permissions to your users, this is the configuration that has worked for me regarding a variety of Cisco devices:

IOS

user = username {
         default service = permit
         service = exec {
                 priv-lvl=15
         }
}

IOS-XR
user = username {
        default service = permit
        service = exec {
                optional task="#root-system"
        }
}

NX-OS

user = username {
        default service = permit
        service = exec {
                optional shell:roles="network-admin"
        }
}

Notes:

1) The above tacacs+ configuration is not the full one; it's just the parts that define the "admin" level for specific users.
2) The "optional" keyword in IOS-XR and NX-OS is used in order to make devices that do not understand these attributes simply ignore them.

If you also want to restrict users to specific commands, then you can use something like the following:

user = username {
         default service = deny
         cmd = terminal {
                 permit length.*
                 permit width.*
         }
         cmd = show {
                 permit radius.statistics
                 permit interface.*
                 permit ip.interface.*
         }
         cmd = clear {
                 permit radius.statistics
         }
}

Generally, command authorization is configured by specifying a list of egrep-style regular expressions to match command arguments and an action which is "deny" or "permit".

Note: Command authorization must have been enabled in your router configuration too. Also some commands (i.e. "clear") might need to have their privilege level changed.

The above configurations are from the freeware tacacs+ server, which has been heavily modified in order to suit our needs. Nevertheless, i believe they can apply to other versions too.

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.