Setting TACACS+ Authorization | Cisco Systems OL-5650-02 specs

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server

Setting TACACS+ Authorization

Setting TACACS+ Authorization

TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:

•Configuration commands that change the CSS running configuration. For example, all commands in global configuration mode. For a complete list of global configuration mode commands, refer to the Cisco Content Services Switch Command Reference.

•Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition, show, and administrative commands. For example, cls (clear screen), endbranch, help, ping, show, terminal, traceroute, and so on. For a complete list of nonconfiguration commands, refer to the Cisco Content Services Switch Command Reference.

Note When you configure TACACS+ on a CSS, the CSS does not authorize scripts through the TACACS+ server. Because the CSS transforms all XML commands into scripts, the CSS also does not authorize XML commands through the TACACS+ server.

By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to issue commands.

When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command. Failure of the TACACS+ server results in the failure of all authorization requests and the suspension of user activity unless another server is reachable. To enable users to execute commands in this case, configure a failover authentication method to a local user database. Users must log back in to the CSS.

		Cisco Content Services Switch Security Configuration Guide
		Cisco Content Services Switch Security Configuration Guide
	OL-5650-02			4-11
	OL-5650-02			4-11

Image 93

Cisco Systems OL-5650-02 manual Setting TACACS+ Authorization

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide Iii N T E N T S ACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Vii Example of Fwlb Viii B L E S OL-5650-02 Preface How to Use This Guide AudienceXii Xiii Related Documentation Xiv Rmon Document Title Description Xvi Symbols and Conventions Obtaining Documentation Cisco.comXvii Documentation DVD Documentation FeedbackOrdering Documentation Xviii Reporting Security Problems in Cisco Products Cisco Product Security OverviewXix Cisco Technical Support Website Obtaining Technical Assistance Xxi Submitting a Service Request Xxii Definitions of Service Request Severity Xxiii Xxiv Controlling CSS Access Config# username-offdm bobo password secret Changing the Administrative Username and Password Config# username picard password captain superuser Creating Usernames and Passwords Controlling CSS Access Creating Usernames and Passwords Config# username picard password captain superuser Nwbnnnr Config# no username picardConfig# username picard password flute superuser Controlling Remote User Access to the CSS Configuring Virtual Authentication Configuring Console Authentication #config virtual authentication primary tacacs#config virtual authentication secondary local #config console authentication primary tacacs #config console authentication secondary local#config no console authentication Enabling Administrative Access to the CSS Controlling Administrative Access to the CSS Config# no restrict web-mgmt Disabling Administrative Access to the CSS Config# restrict telnet Controlling CSS Network Traffic Through Access Control Lists ACL Overview ACL ACL Configuration Quick Start Config-acl7#clause 10 deny any any destination range 20 Config-acl7#clause 15 permit any any destination anyConfig-acl7#apply circuit-VLAN1 Creating an ACL Config# acl disable Config-acl7#remove circuit-VLAN1Deleting an ACL Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Show group ? Variables Options Parameters Prefer Adding a Clause When ACLs are Globally Enabled Config-acl7remove circuit-VLAN1 Config-acl7apply circuit-VLAN1Deleting a Clause Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Showing ACLs Disabling ACLs on the CSS Field Description Logging ACL Activity Setting the Show ACL Counters to Zero Config-acl7#clause 1 log disable Config-acl7#clause 1 log enable ACL Example Config# no logging subsystem acl Configuring Network Qualifier Lists for ACLs Creating an NQL Describing an NQLAdding Networks to an NQL Config-nqlbypassnql#no ip address 192.168.0.0/16 Config# logging subsystem nql level debug-7 Adding an NQL to an ACL Clause Showing NQL Configurations Configuring the Secure Shell Daemon Protocol # license Enabling SSH Configuring Sshd in the CSS Configuring SSH AccessConfiguring Sshd Keepalive Config# no restrict ssh Configuring Sshd Server-Keybits Configuring Sshd Port Config# sshd server-keybits Configuring Sshd VersionConfig# no sshd server-keybits Config# sshd version Showing Sshd Configurations Configuring Telnet Access When Using SshdConfig# no restrict telnet # show sshd config # show sshd sessions # show sshd version Ptyfd Radius Server Configuring the CSS as a Client of a Radius Server Radius Configuration Quick Start Config# radius-server primary 172.27.56.76 secret HelloConfig# radius-server secondary 172.27.56.79 secret Hello #config virtual authentication primary radius Configuring a Radius Server for Use with the CSS Configuring Authorization Settings Configuring Authentication Settings Specifying a Primary Radius Server Config# no radius-server primary Config# no radius-server secondarySpecifying a Secondary Radius Server Configuring the Radius Server Retransmits Configuring the Radius Server TimeoutsConfig# radius-server timeout Config# no radius-server timeout Config# no radius-server retransmit Configuring the Radius Server Dead-TimeConfig# radius-server dead-time Config# no radius-server dead-time DOWN, Unknown Config# show radius statistics secondary 3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes Setting the Global CSS TACACS+ Timeout Period #config tacacs-server timeout#config no tacacs-server timeout #config tacacs-server key market Setting the Global TACACS+ Keepalive Frequency#config tacacs-server key acskefterefesdtx #config no tacacs-server key Defining a TACACS+ Server Config# no tacacs-server frequency OL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config tacacs-server authorize non-config #config tacacs-server authorize config#config no tacacs-server authorize config #config no tacacs-server authorize non-config Setting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Firewall Synchronization Configuring Fwlb Configuring a Keepalive Timeout for a Firewall Config# ip firewall 1 192.168.27.1 192.168.28.1Config# no ip firewall Configuring an IP Static Route for a Firewall Config# ip firewall timeoutConfig# no ip firewall timeout Config# ip route 192.168.2.0/24 firewall 1 Configuring Ospf to Advertise Firewall RoutesConfig# no ip route 192.168.2.0/24 firewall Config# ospf redistribute firewall metric 3 type1 Example of Fwlb Static Route Configuration Configuring RIP to Advertise Firewall RoutesConfig# no ospf redistribute firewall Config# rip redistribute firewall Config# ip route 192.168.2.0/24 firewall Config# ip firewall 1 192.168.28.1 192.168.27.1Config# ip firewall 2 192.168.28.2 192.168.27.2 Config# ip route 0.0.0.0/0 firewall Example of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide CSS-OUT-L Configuration Example of Firewall and Route Configurations CSS-IN-L Configuration Config# show flows 192.165.22.1 Config# show flowsDisplaying Firewall Flow Summaries Displaying Firewall IP Routes Config# show ip routes firewall Displaying Firewall IP Information Config# show ip firewall OL-5650-02 IN-1 D E IN-2 IN-3 FTP IN-4 Radius IN-5 XML IN-6