Read-Only with TACACS+

richard_curtin — Tue, 26 Jun 2018 20:24:20 GMT

I have recently spun up a TACACS+ server and got it configured in a test environment before we go live. I have been able to get mostly everything configured with the exception of a Read-Only user. I am using TacasGUI with MAVIS LDAP. The LDAP is working perfectly and the groups are working as they are supposed to. I am just unable to have any AAA Authenticated user actually show up as a Read-Only user. If I set an AD group in Tacacs to privilege level 15 they will get SU privileges and any other level including 5 shows as Port-Config when doing a #show who command to check SSH connections. If I change the Read-Only to use Privilege level 15 it will then log in as a SU so I know the groups are working and using the config in Tacacs. Below is a small snippet of my configs maybe I am missing something obvious.

I have 3 AD groups Admins, Read-Only, and Ports-Only

Snippet from switch config (let me know if you need to see more)

Current configuration:
!
ver 08.0.30mbT311
!
stack unit 1
module 1 icx6430c-12-port-management-module
module 2 icx6430c-copper-2port-2g-module
module 3 icx6430c-fiber-2port-2g-module

aaa authentication login default local tacacs+
aaa authentication login privilege-mode
aaa authorization exec default tacacs+ none
aaa accounting commands 0 default start-stop tacacs+
hostname Tacacs_Test
ip address 0.0.0.0 255.255.255.0

This is a snippet from my Tacacs config as well.

group = Admins {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 15
}
} #END OF Admins

group = Read-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 5
}
} #END OF Read-Only

group = Ports-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 4
}
} #END OF Ports-Only

This is the #show who output while all 3 users (one in each group) are logged in.

1 established, client ip address 0.0.0.0, server hostkey DSA, user is test13784, privilege port-config
using vrf default-vrf.
32 second(s) in idle
2 established, client ip address 0.0.0.0, server hostkey DSA, user is curtinr, privilege super-user
using vrf default-vrf.
you are connecting to this session
56 second(s) in idle
3 established, client ip address 0.0.0.0, server hostkey DSA, user is test12689, privilege port-config
using vrf default-vrf.
5 second(s) in idle

So as you can see even though Read-Only is set to 5 and Ports-Only is set to 4 both users appear to have Port-Config privileges. I have tested level 5 on a local user and it shows as having true level 5 Read-Only privileges but just not using AAA.

topic Read-Only with TACACS+ in ICX Switches

Read-Only with TACACS+