Send documentation comments to mdsfeedback-doc@cisco.com.
27-8
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Configuring TACACS+
The following attributes are supported:
•roles—This attribute lists all the roles to which the user belongs. The value field is a string storing
the list of group names delimited by white space. For example, if you belong to roles vsan-admin
and storage-admin, the value field would be “vsan-admin storage-admin.” This subattribute is
sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be
used with the shell protocol value. These are two examples using the roles attribute:
shell:roles=“network-admin vsan-admin”
shell:roles*“network-admin vsan-admin”
When an VSA is specified as shell:roles*“network-admin vsan-admin”, this VSA is flagged as
an optional attribute, and other Cisco devices ignore this attribute.
•accountinginfo—This attribute stores additional accounting information besides the attributes
covered by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion
of the Account-Request frames from the RADIUS client on the switch, and it can only be used with
the accounting protocol-related PDUs.
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute cisco-av-pair can be used to specify user’s role mapping using the
format:
shell:roles="roleA roleB …"
As of Cisco MDS SAN-OS Release 2.0, the VSA format is enhanced to optionally specify your SNMPv3
authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are
AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server,
MD5 and DES are used by default.
Note Only administrators can view the RADIUS preshared key.
Configuring TACACS+
A Cisco MDS switch uses the Terminal Access Controller Access Control System Plus (TACACS+)
protocol to communicate with remote AAA servers. You can configure multiple TACACS+ servers and
set timeout values.