Support User Manuals

Cisco Systems OL-5650-02 Switch User Manual

Open as PDF

of 122

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server

Sending Full CSS Commands to the TACACS+ Server

4-12

Cisco Content Services Switch Security Configuration Guide

OL-5650-02

In releases prior to 7.30.1.05, if you transitioned from one CLI mode to another

(for example, from config mode to service mode), and a service already existed

regardless of whether TACACS+ authorization was enabled for configuration or

nonconfiguration commands, the CSS did not perform authorization on the

command. If you were creating a service and authorization for configuration

commands was enabled, then the TACACS+ server was queried if you were

authorized to perform the command. In software version 7.30.1.05 and later, on a

mode transition in an existing service, the CSS sends a command authorization

request to the TACACS+ server if nonconfiguration commands are enabled.

Use the tacacs-server authorize config command to enable authorization of all

commands that change the running configuration. For example:

#(config) tacacs-server authorize config

Use the tacacs-server authorize non-config command to enable authorization of

all commands that do not change the running configuration. For example:

#(config) tacacs-server authorize non-config

Use the no form of these commands to disable authorization. For example, to

disable authorization for commands that affect the running configuration, enter:

#(config) no tacacs-server authorize config

To disable authorization for commands that do not affect the running

configuration, enter:

#(config) no tacacs-server authorize non-config

Sending Full CSS Commands to the TACACS+ Server

CSS users can send the commands in their abbreviated syntax to the TACACS+

server. By default, the CSS sends the full syntax of the command, even though you

enter the command in its abbreviated form. By expanding the syntax, the CSS

minimizes TACACS+ authorization command failures resulting from their

abbreviations.

Use the no form of the command to disable the CSS from sending the full

command and instead to send the command as entered by the user. For example,

enter:

#(config) no tacacs-server send-full-command

previous next