ACS4.2, NX-OS und Cisco AV-Pair

Unanswered Question
Apr 28th, 2010

Hi

Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus

I attached the main configuration for this feature.

Does anybody has an idea where the problem could be found.

Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS

ACS 4.2 Configuration:

User Config:

shell exec (enabled)

shell:roles*"network-admin"  (actually i tried also the shell:roles="network-admin")

After Login - the output of the command "show user-account" says:

user:ude3964
        roles:network-operator
account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3

tacacs-server host 172.28.193.35 key 7 "xx"
aaa group server tacacs+ tacacs
    server 172.28.193.35
    source-interface Vlan501

In the ACS passed Authentication Report everything looks fine.

Any hints?

Cheers

Patrick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Javier Henderson Wed, 04/28/2010 - 09:25

On ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.

Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back.

Actions

This Discussion