MDS 9100 SAN OS with TACACS using Cisco ACS 5.x

I wanted the MDS switches to finally be added to TACACS so that the backup scripts can run with the TACACS login they have for the standard routers/switches. Here’s the code used (note that the fallback to local auth is also enabled if tacacs is unavailable):

tacacs+ enable
tacacs+ distribute
tacacs-server key whatevs-key
tacacs-server host
tacacs+ commit
aaa group server tacacs+ tacacs-group1
aaa authentication login default group tacacs-group1 local
aaa accounting default group tacacs-group1 local

On Cisco ACS 5.x you need to add an option to the shell profile you use for TACACS. In my case I just added the attribute to the standard profile which gives ‘level 15’ privilege to passed authentications for other IOS devices.

Probably easier to show you in an image (below), but for MDS switches to work with ACS 5.x you need to add :

attribute  ->  shell:roles
requirement->  Optional
value      ->  network-admin


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s