Vendor-Specific Attributes For Tacacs; Cisco Vsa Format For Tacacs - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Vendor-Specific Attributes for TACACS+
Vendor-Specific Attributes for TACACS+
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF
uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general
use.
Cisco VSA Format for TACACS+
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended
in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named
cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for
mandatory attributes, and * (asterisk) indicates optional attributes.
When you use TACACS+ servers for authentication on a Cisco NX-OS device, the TACACS+ protocol directs
the TACACS+ server to return user attributes, such as authorization information, along with authentication
results. This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco NX-OS software:
Shell
Accounting
The Cisco NX-OS software supports the following attributes:
roles
Note
accountinginfo
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
70
Protocol used in access-accept packets to provide user profile information.
Protocol used in accounting-request packets. If a value contains any white spaces, you should enclose
the value within double quotation marks.
Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited
by white space. For example, if the user belongs to roles network-operator and network-admin, the value
field would be network-operator network-admin. This subattribute, which the TACACS+ server sends
in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The
following examples show the roles attribute as supported by Cisco ACS:
shell:roles=network-operator network-admin
shell:roles*network-operator network-admin
When you specify a VSA as shell:roles*"network-operator network-admin", this VSA is flagged as an
optional attribute and other Cisco devices ignore this attribute.
Stores accounting information in addition to the attributes covered by a standard TACACS+ accounting
protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the TACACS+
client on the switch. It can be used only with the accounting protocol data units (PDUs).
Configuring TACACS+
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
