ACS4.2, NX-OS und Cisco AV-Pair

Unanswered Question
Apr 28th, 2010
User Badges:


Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus

I attached the main configuration for this feature.

Does anybody has an idea where the problem could be found.

Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS

ACS 4.2 Configuration:

User Config:

shell exec (enabled)

shell:roles*"network-admin"  (actually i tried also the shell:roles="network-admin")

After Login - the output of the command "show user-account" says:

account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3

tacacs-server host key 7 "xx"
aaa group server tacacs+ tacacs
    source-interface Vlan501

In the ACS passed Authentication Report everything looks fine.

Any hints?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Javier Henderson Wed, 04/28/2010 - 09:25
User Badges:
  • Cisco Employee,

On ACS set the log level detail to full, reproduce the problem, collect a, then look at the auth.log and TCS.log files, see if any hints appear there.

Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back.


This Discussion