Send documentation comments to mdsfeedback-doc@cisco.com.
27-10
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Configuring Server Groups
You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using
the same AAA servers.
cisco-av-pair*shell:roles="network-admin vsan-admin"
Additional custom attribute shell:roles are also supported:
shell:roles="network-admin vsan-admin"
or
shell:roles*"network-admin vsan-admin”
Note TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various services (for
example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom attribute for the service
shell to be used for defining roles.
Supported TACACS+ Servers
The Cisco MDS SAN-OS software currently supports the following parameters for the listed TACACS+
servers:
•TACACS:
cisco-av-pair=shell:roles="network-admin"
•Cisco ACS TACACS
shell:roles="network-admin"
shell:roles*"network-admin"
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair*shell:roles*"network-admin"
cisco-av-pair=shell:roles*"network-admin"
•Open TACACS
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair=shell:roles*"network-admin"
Configuring Server Groups
You can specify one or more remote AAA servers to authenticate users using server groups. All members
of a group must belong to the same protocol: either RADIUS or TACACS+. The servers are tried in the
same order in which you configure them.
You can configure these server groups at any time but they only take effect when you apply them to an
AAA service.
To configure a RADIUS or TACACS+ server group, follow these steps:
Step 1 Choose Switches > Security > AAA in Fabric Manager or choose Security > AAA in Device Manager.
Step 2 Choose the Server Group tab. You see the RADIUS or TACACS+ servers configured.
Step 3 Click Create Row in Fabric Manager or Create in Device Manager. You see the Create Server dialog
box.