08-26-2010 09:42 AM - edited 03-10-2019 05:21 PM
Any guidance on configuring the shell profile for RBAC on ACS5.1 for ACE or Nexus 1000v? I've configured 4.x before with ACE and it works fine, but I can't seem to get it to work right with 5.1. On the Nexus it always logs me in as vdc-operator. On ACS 4.x I had to create the custom shell attribute as below for ACE.
shell:Admin*Admin default-domain
Solved! Go to Solution.
08-26-2010 12:24 PM
Go the shell profile definitions
- Select custom attributes tab
- In data entry field at the bottom enter:
Attribute: shell:Admin
Value: Admin default-domain
Requirement: Optional
Press "Add" to add to list and then "Submit" to save
08-26-2010 12:24 PM
Go the shell profile definitions
- Select custom attributes tab
- In data entry field at the bottom enter:
Attribute: shell:Admin
Value: Admin default-domain
Requirement: Optional
Press "Add" to add to list and then "Submit" to save
08-26-2010 01:35 PM
That worked perfectly for the ACE. I knew it was close, but the context was just different enough from the 4.x that I was guessing wrong. What about for the Nexus roles? It keeps logging me in a vdc-operator. I've tried Attribute role: and Value of network-admin with optional also.
08-26-2010 02:13 PM
Did you have Nexus roles working with ACS 4.2? Do you know what attribute and value needs to be returned?
08-26-2010 05:21 PM
No, this is a new experience for me with the Nexus. The only thing I found was from the Nexus 7k documentation that mentions the role of network-admin must be assigned. I actually wish they would be more specific regarding special configurations for interoperability with ACS.
08-27-2010 06:24 AM
I ended up opening a TAC case and got the proper attributes.
Attribute would be "shell:roles"
Requirement is Optional
Value is "network-admin"
or on ACS4.2 it would be shell:roles*"network-admin"
For any others that might use this info
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: