we are using ACS 4.2 for granting access to a large number of network-devices, mostly Cisco, but also Nortel, Juniper, etc... . All working fine.
But now we are installing/testing Cisco Nexus-devices, and we can't get authentication/authorization working for the DCNM-application through ACS.
After adding " cisco-av-pair=shell:roles*"network-admin" ", we get authenticated in DCNM correctly, and also most Core Cisco-devices, but many of the access Cisco-switches deny us access. As I understand the "*" part in the av-pair means "optional", I'm presuming this is due to an IOS-bug in those access-switches.
As we have many of those devices out there, and don't want to have to upgrade them all just for DCNM-access... Is there any other way to make this work? For example: sending the av-pair only when request are coming from an specific IP, or such?
I'm new to ACS, but have been browsing through manuals for a few hours, without much luck
BTW: shell-access to the Nexus-boxes works fine with the av-pair implemented.
Are you using radius to access these boxes? I can tell by your av-pair that you are most likey using radius.
If so then you can create a network access profile (should be one of the options close to the bottom), there you can create a network access profile based on the nas-ip-address for the nexus devices. From there you can choose the authorization policy from there.
Here is a guide on how to configure network access profiles.
As you are using TACACS+ you might have configured the "shell:roles*network-admin" under the Shell (EXEC) custom attributes on the ACS 4.x Group/User Setup. As the Nexus devices are working as expected you have confirmed that you are using the appropriate attribute format.
As per the IOS failing authorization when sending the Nexus attribute as well you are pretty much hitting the following bug if using TACACS+:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...