hit counter script

Configuring Role-Based Authorization On Tacacs+ Server - Cisco MDS 9000 Series Configuration Manual

Security
Hide thumbs Also See for MDS 9000 Series:
Table of Contents

Advertisement

Configuring Security Features on an External AAA Server
The Cisco MDS 9000 Family switches allow you to perform local authentication (using the lookup database)
or remote authentication (using one or more RADIUS servers or TACACS+ servers).
Authorization provides access control. It is the process of assembling a set of attributes that describe what the
user is authorized to perform. Based on the user ID and password combination, the user is authenticated and
authorized to access the network as per the assigned role. You can configure parameters that can prevent
unauthorized access by an user, provided the switches use the TACACS+ protocol.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to
perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA
servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by
associating attribute-value (AV) pairs, which define those rights with the appropriate user.
The following steps explain the authorization and authentication process:
Procedure
Step 1
Log in to the required switch in the Cisco MDS 9000 Family, using the Telnet, SSH, Fabric Manager or
Device Manager, or console login options.
Step 2
When you have configured server groups using the server group authentication method, an authentication
request is sent to the first AAA server in the group.
• If the AAA server fails to respond, then the next AAA server is contacted and so on until the remote
• If all AAA servers in the server group fail to respond, then the servers in the next server group are
• If all configured methods fail, then by default local database is used for authentication. The next section
Step 3
When you are successfully authenticated through a remote AAA server, then the following possible actions
are taken:
• If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are
• If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user
• If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the
Step 4
When your user name and password are successfully authenticated locally, you are allowed to log in, and you
are assigned the roles configured in the local database.

Configuring Role-based Authorization on TACACS+ Server

The following figure shows a flow chart of the authorization and authentication process.
server responds to the authentication request.
contacted.
will describe the way to disable this fallback.
downloaded with an authentication response.
roles specified as custom attributes for the shell.
network-operator role if the show aaa user default-role command is enabled. You are denied access if
this command is disabled.
Configuring Role-based Authorization on TACACS+ Server
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
35

Advertisement

Table of Contents
loading

Table of Contents