ACS 5.1 and ACE authentication

Answered Question
Aug 26th, 2010
User Badges:

Any guidance on configuring the shell profile for RBAC on ACS5.1 for ACE or Nexus 1000v? I've configured 4.x before with ACE and it works fine, but I can't seem to get it to work right with 5.1.  On the Nexus it always logs me in as vdc-operator.  On ACS 4.x I had to create the custom shell attribute as below for ACE.



shell:Admin*Admin default-domain

Correct Answer by jrabinow about 6 years 11 months ago

Go the shell profile definitions


- Select custom attributes tab

- In data entry field at the bottom enter:

Attribute:   shell:Admin

Value: Admin default-domain

Requirement: Optional


Press "Add" to add to list and then "Submit" to save

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
jrabinow Thu, 08/26/2010 - 12:24
User Badges:
  • Cisco Employee,

Go the shell profile definitions


- Select custom attributes tab

- In data entry field at the bottom enter:

Attribute:   shell:Admin

Value: Admin default-domain

Requirement: Optional


Press "Add" to add to list and then "Submit" to save

David Niemann Thu, 08/26/2010 - 13:35
User Badges:

That worked perfectly for the ACE.  I knew it was close, but the context was just different enough from the 4.x that I was guessing wrong.  What about for the Nexus roles? It keeps logging me in a vdc-operator.  I've tried Attribute   role:    and Value of network-admin with optional also.

jrabinow Thu, 08/26/2010 - 14:13
User Badges:
  • Cisco Employee,

Did you have Nexus roles working with ACS 4.2? Do you know what attribute and value needs to be returned?

David Niemann Thu, 08/26/2010 - 17:21
User Badges:

No, this is a new experience for me with the Nexus.  The only thing I found was from the Nexus 7k documentation that mentions the role of network-admin must be assigned.  I actually wish they would be more specific regarding special configurations for interoperability with ACS.

David Niemann Fri, 08/27/2010 - 06:24
User Badges:

I ended up opening a TAC case and got the proper attributes.


Attribute would be "shell:roles"

Requirement is Optional

Value is "network-admin"


or on ACS4.2 it would be shell:roles*"network-admin"


For any others that might use this info

Actions

This Discussion

Related Content