2 minute read (226 words).
Clearpass TACACS+ Server with Cisco Nexus User Privilege Roles
Cisco Nexus NS-OS switches provide a slightly different way compared to their IOS variants at assigning privileges to users who login either via the local database or a remote source. IOS use privilege levels 0-15 where as NS-OS uses roles ‘network-admin’ and ‘network-operator’.
IOS levels 0 provides no privileges, level 1 provides read only and level 15 full read-write. NS-OS ‘network-admin is equivalent of level 15 and ‘network-operator’ is level 1. Levels 2-14 can be configured with custom privileges, this has been replaced by custom roles on the Nexus range.
It is possible to enable ‘feature privilege’ on NS-OS to enable legacy ‘priv-lel’. However, roles are just as easy and more flexible.
I recently needed to provide read only access to a group of server admins who wanted to be able to view the running config and ACL tables of these switches. So, a pretty simple role was require:
role name custom-role-name description Read-Only role for IT Server Admins rule 1 permit read rule 2 permit command show run exit
Users would then authenticate against our TACACS+ Clearpass CPPM and have the desired role returned.
A new enforcement profile was created using the ‘TACACS+ Based Enforcement’ template where the ‘Privilege Level’ was set to ‘1 (Normal)’, the service was ‘Shell’ and the ‘Type’ was also ‘Shell’ with ‘Name’ ‘cisco-av-pair’ and ‘Value’ ‘shell:roles=”custom-role-name”‘.
Share via Twitter LinkedIn Facebook Email