ACS 5.1 Tacacs+ Nexus 5000

Unanswered Question
Sep 13th, 2010
User Badges:

Hello,

Am having somes problems changing the role of my AD validated user on my nexus.


Users are validated against AD then am trying to push AVpair attribut to change the user role to network-admin.

All setting are getting assign to my user ( access profile, shell etc )

i tried the following custom attribut in my shell profle:


Attribute                         Value

shell                              roles="network-admin"

shell                              roles=network-admin

shell:roles                      "network-admin"

shell:roles                      network-admin

cisco-av-pair     shell:roles="network-admin"


when i so a show user-account, my user is never network-admin, stays at network-operator.

Any idea?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mansrini Sun, 09/26/2010 - 16:50
User Badges:
  • Cisco Employee,

Hello,


There is a known bug w.r.t authorization in 4.x versions of the nexus code. As a workaround, try the following under the aaa server group .


use-vrf default  ( or management depending on which vrf is used to reach the aaa server ).


The attribute should be cisco-av-pair=shell:roles  and the value should be network-admin.


Thanks,

Mani

HUBERT RESCH Mon, 02/14/2011 - 04:23
User Badges:

Hi , is this the correct format, how to apply


Attribute: cisco-av-pair*shell:roles

Value:"network-operator"


in ACS4.x we assigned under custome attribute:

cisco-av-pair*shell:roles="network-operator"

Thx

Hubert

mansrini Mon, 02/14/2011 - 08:56
User Badges:
  • Cisco Employee,

Hello,


Just


attribute - shell:roles


requirement - optional


value - network-operator


should do.. I have been using this all the time with no problems. I believe the format you have been using should also work. In any case , be aware that the other AV pairs that I see in your shell profile might break nexus as nexus might not understand some of those attributes. You could either make all those attributes optional ( so any device which doesn't understand those attributes will ignore them ) or you could create separate shell profiles for IOS and nexus and tie them to access policies based on which NDG the request is coming from.


Thanks,

Mani

Actions

This Discussion

Related Content