Solved: ACS 5.1 and ACE authentication

David Niemann · ‎08-26-2010

Any guidance on configuring the shell profile for RBAC on ACS5.1 for ACE or Nexus 1000v? I've configured 4.x before with ACE and it works fine, but I can't seem to get it to work right with 5.1. On the Nexus it always logs me in as vdc-operator. On ACS 4.x I had to create the custom shell attribute as below for ACE.

shell:Admin*Admin default-domain

jrabinow · ‎08-26-2010

Go the shell profile definitions

- Select custom attributes tab

- In data entry field at the bottom enter:

Attribute: shell:Admin

Value: Admin default-domain

Requirement: Optional

Press "Add" to add to list and then "Submit" to save

View solution in original post

jrabinow · ‎08-26-2010

Go the shell profile definitions

- Select custom attributes tab

- In data entry field at the bottom enter:

Attribute: shell:Admin

Value: Admin default-domain

Requirement: Optional

Press "Add" to add to list and then "Submit" to save

David Niemann · ‎08-26-2010

That worked perfectly for the ACE. I knew it was close, but the context was just different enough from the 4.x that I was guessing wrong. What about for the Nexus roles? It keeps logging me in a vdc-operator. I've tried Attribute role: and Value of network-admin with optional also.

jrabinow · ‎08-26-2010

Did you have Nexus roles working with ACS 4.2? Do you know what attribute and value needs to be returned?

David Niemann · ‎08-26-2010

No, this is a new experience for me with the Nexus. The only thing I found was from the Nexus 7k documentation that mentions the role of network-admin must be assigned. I actually wish they would be more specific regarding special configurations for interoperability with ACS.

David Niemann · ‎08-27-2010

I ended up opening a TAC case and got the proper attributes.

Attribute would be "shell:roles"

Requirement is Optional

Value is "network-admin"

or on ACS4.2 it would be shell:roles*"network-admin"

For any others that might use this info