Managing AAA Servers
The system uses the following functionalities to manage AAA servers:
Adding AAA Servers
Modifying AAA Servers
Adding Vendor Specific Codes to AAA Servers
RADIUS
Arista Vendor Specific Code: add it to the RADIUS dictionary.
VENDOR Arista 30065
BEGIN-VENDOR Arista
ATTRIBUTE Arista-AVPair 1 string
END-VENDOR Arista
To specify role for a user
"bob" Cleartext-Password := "Pa$sW04d"
Arista-AVPair = "shell:cvp-roles=network-admin",
Service-Type = NAS-Prompt-User
TACACS+
For TACACS+ there is no vendor specific code, just different strings.
Note: CloudVision support for TACACS+ servers can be affected with the
setting of the “service” parameter. Some TACACS servers may require "service =
shell" instead of "service = exec" in the TACACS+ configuration
(tacacs.conf).
This example configures user “bob” in the admin group and specifies certain attributes. It specifies a "cvp-roles" attribute for the CloudVision role name (it can also be a list of roles).
A. tacacs.conf
group = admingroup {
default service = deny
service = exec {
default attribute = permit
priv-lvl = 15
cvp-roles = network-admin
}
enable = nopassword
}
user = bob {
login = cleartext "secret"
member = admingroup
}
B. CVP AAA settings
C. Switch AAA configlet
CISCO ACS
To ensure that authentication and authorization work properly, complete
the following procedures.
Creating Identity Groups and Users
- Select Users and Identity Stores, and then select Identity Groups.
- Make sure a group named <user-group> exists. If this group does not exist, add it.
- Add new users under the group named <user-group>.
Creating a Shell Profile using ACS
Creating and Modifying Access Policy
Supported TACACS Types
CloudVision Portal (CVP) supports different types of TACACS. Table Supported TACACS
Types lists the supported types of TACACS, including the following information
for each TACACS type:
- Supported version
- Service shell (whether it is supported for each type)
- Service exec (only the following attributes are supported):
- acl
- default
- double-quote-values
- message
- optional
- protocol
- return
- script
- set
TACACS Type | Supported Version | Service Shell | Service Exec |
---|---|---|---|
tac_plus (Shruberry) | F4.0.4.26 | Not Applicable | Supported |
tac_plus (Probono) |
201706241310 201503290942/DES |
Supported | Supported |
CISCO ACS |
4.4.0.46 5.3.0.40 |
Supported | Not Applicable |
Related topics:
Removing AAA Servers
Complete these steps to remove AAA servers: