Cisco Nexus NS-OS switches provide a slightly different way compared to their IOS variants at assigning privileges to users who login either via the local database or a remote source. IOS use privilege levels 0-15 where as NS-OS uses roles ‘network-admin’ and ‘network-operator’.

IOS levels 0 provides no privileges, level 1 provides read only and level 15 full read-write. NS-OS ‘network-admin is equivalent of level 15 and ‘network-operator’ is level 1. Levels 2-14 can be configured with custom privileges, this has been replaced by custom roles on the Nexus range.

It is possible to enable ‘feature privilege’ on NS-OS to enable legacy ‘priv-lel’. However, roles are just as easy and more flexible.

I recently needed to provide read only access to a group of server admins who wanted to be able to view the running config and ACL tables of these switches. So, a pretty simple role was require:

role name custom-role-name
   description Read-Only role for IT Server Admins
   rule 1 permit read
   rule 2 permit command show run
   exit

Users would then authenticate against our TACACS+ Clearpass CPPM and have the desired role returned.

A new enforcement profile was created using the ‘TACACS+ Based Enforcement’ template where the ‘Privilege Level’ was set to ‘1 (Normal)’, the service was ‘Shell’ and the ‘Type’ was also ‘Shell’ with ‘Name’ ‘cisco-av-pair’ and ‘Value’ ‘shell:roles=”custom-role-name”‘.

Job done.

---

• Networking, Security
• aruba, cisco, clearpass, switches
• 19 January, 2021

Share via Twitter LinkedIn Facebook Email