English

Grant CSA user privileges using a TACACS+ server

Contributors netapp-rlithman Download PDF of this page

If you are using a TACACS+ server and you need to grant CSA user privileges for your switches, you must create a user privilege group and grant the group access to the specific set up commands needed by CSA.
The following commands should be written into the configuration file for your TACACS+ server.

Steps
  1. Enter the following to create a user privilege group with read-only access:
    group=group_name {
    default service=deny
    service=exec{
    priv-lvl=0
    }
    }

  2. Enter the following to grant access to commands needed by CSA:
    cmd=show {
    permit "environment"
    permit "version"
    permit "feature"
    permit "feature-set"
    permit hardware.*
    permit "interface"
    permit "interface"
    permit "interface transceiver"
    permit "inventory"
    permit "license"
    permit "module"
    permit "port-channel database"
    permit "ntp peers"
    permit "license usage"
    permit "port-channel summary"
    permit "running-config"
    permit "startup-config"
    permit "running-config diff"
    permit "switchname"
    permit "int mgmt0"
    permit "cdp neighbors detail"
    permit "vlan"
    permit "vpc"
    permit "vpc peer-keepalive"
    permit "mac address-table"
    permit "lacp port-channel"
    permit "policy-map"
    permit "policy-map system type qos"
    permit "policy-map system type queuing"
    permit "policy-map system type network-qos"
    permit "zoneset active"
    permit "san-port-channel summary"
    permit "flogi database"
    permit "fcns database detail"
    permit "fcns database detail"
    permit "zoneset active"
    permit "vsan"
    permit "vsan usage"
    permit "vsan membership"
    }

  3. Enter the following to add your CSA user account to the newly created group:
    user=user_account{
    member=group_name
    login=file/etc/passwd
    }