Chapter4 Con figuring the CSS as a Client of a TACACS+ Server
Configuring TACACS+ Server User Accounts for Use with the CSS
4-4
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
•Key - Enter the shared secret that the CSS and Cisco Secure ACS use to
authenticate transactions. For correct operation, you must specify the
identical shared secret on both the Cisco Secure ACS and the CSS. The key
is case-sensitive.
•Authenticate Using - Select TACACS+ (Cisco IOS).
Configuring Authorization SettingsTo determine the privilege level of users accessing the CSS, you must configure
the user accounts on the TACACS+ server to permit or deny execution of the
privilege command. The CSS queries the TACACS+ server for authorization to
execute the privilege command. If the server allows the privilege command, the
user is granted privileged (SuperUser and configuration modes) access to the
CSS. If the server denies the privilege command, the user is granted
nonprivileged (User mode) access to the CSS.
To configure the group authorization settings:
1. From the Group Setup section of the Cisco Secure ACS HTML interface,
Group Setup Select page, select the group for which you want to configure
TACACS+ settings.
2. On the Shell Command Authorization Set page, click the Per Group
Command Authorization checkbox
3. Under Unmatched Cisco IOS Commands, either permit or deny execution
of the privilege command:
•For a group that has SuperUser privileges on the CSS, select Permit. A
SuperUser can issue any CSS command.
•For a group that has User privileges on the CSS, select Deny. A user can
issue CSS commands that does not change the CSS configuration; for
example, show commands.
An alternative way to configure the group authorization settings is as follows:
1. Select Shared Profile Components, Shell Command Authorization Sets
page.
2. Click the Add button to add a set or to edit an existing set.
3. Enter a name and description.