Nexus 5000 securing login and default roles

Unanswered Question

I have a nexus 5020 NX-OS 4.1(3)N2(1) configured for radius server authentication and I have a group "network" in ACS that has the shell:role="network-admin". I have notice that if your in ACS as a user not of my "network" group the Nexus will still allow you to login and run all the show commands. How can I get rid of the default role. I dont want anyone to be able to run show commands by defualt.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bmcginn Wed, 07/14/2010 - 15:13
User Badges:
  • Bronze, 100 points or more

Hi there,


I haven't worked with NX-OS yet, so i don't know if this will work with them but if you have grouped the Nexus devices in the ACS in the 'Network Configuration' tab, you can try the following to deny access to them to users.


Once you've grouped them properly, you can then create a 'Network Access Filter' which is found under 'Shared Profile Components', name it and select the group you put your nexus' in.


Then go to the group of the users that you don't want to allow access to the Nexus and in the 'Network Access Restrictions (NAR)' section, look for the 'Per Group Defined Network Access Restrictions' part, select the 'define IP-based access restrictions', select 'Denied Calling/Point of Access Locations' from the 'Table Defines' drop down.  In the 'AAA Client' drop down you can select the NDG Nexus group, put a * in 'Port and a * in 'Address' and then add it.


I think you need to restart the ACS service..


See how that goes.  I hope I've understood what you're after and if not I apologise.


Brad

Marko Pribanic Mon, 09/13/2010 - 13:23
User Badges:

You can put the "no aaa user default-role" command on Nexus.

That way you will restrict the aaa users to login as default-role users

.

Actions

This Discussion