Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2132
Views
5
Helpful
4
Replies

Nexus 5000 securing login and default roles

rlwilson
Level 1
Level 1

‎07-14-2010 01:00 PM - edited ‎03-06-2019 12:01 PM

I have a nexus 5020 NX-OS 4.1(3)N2(1) configured for radius server authentication and I have a group "network" in ACS that has the shell:role="network-admin". I have notice that if your in ACS as a user not of my "network" group the Nexus will still allow you to login and run all the show commands. How can I get rid of the default role. I dont want anyone to be able to run show commands by defualt.

Labels:
0 Helpful
4 Replies 4

Amit Singh
Cisco Employee
Cisco Employee

‎07-14-2010 01:16 PM

You need to bind or network group with the shell command authroization in the ACS. Please see the example below and should help you..

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

HTH,

Cheers

0 Helpful

rlwilson
Level 1
Level 1
In response to Amit Singh

‎07-14-2010 02:21 PM

This is a Nexus 5020 running NX-OS. NX-OS does NOT use shell command authorization. Instead nexus uses roles based.

0 Helpful

bmcginn
Level 3
Level 3
In response to rlwilson

‎07-14-2010 03:13 PM

Hi there,

I haven't worked with NX-OS yet, so i don't know if this will work with them but if you have grouped the Nexus devices in the ACS in the 'Network Configuration' tab, you can try the following to deny access to them to users.

Once you've grouped them properly, you can then create a 'Network Access Filter' which is found under 'Shared Profile Components', name it and select the group you put your nexus' in.

Then go to the group of the users that you don't want to allow access to the Nexus and in the 'Network Access Restrictions (NAR)' section, look for the 'Per Group Defined Network Access Restrictions' part, select the 'define IP-based access restrictions', select 'Denied Calling/Point of Access Locations' from the 'Table Defines' drop down.  In the 'AAA Client' drop down you can select the NDG Nexus group, put a * in 'Port and a * in 'Address' and then add it.

I think you need to restart the ACS service..

See how that goes.  I hope I've understood what you're after and if not I apologise.

Brad

0 Helpful

Marko Pribanic
Level 1
Level 1

‎09-13-2010 01:23 PM

You can put the "no aaa user default-role" command on Nexus.

That way you will restrict the aaa users to login as default-role users

.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card