Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.1 Tacacs+ Nexus 5000

Hello,

Am having somes problems changing the role of my AD validated user on my nexus.

Users are validated against AD then am trying to push AVpair attribut to change the user role to network-admin.

All setting are getting assign to my user ( access profile, shell etc )

i tried the following custom attribut in my shell profle:

Attribute                         Value

shell                              roles="network-admin"

shell                              roles=network-admin

shell:roles                      "network-admin"

shell:roles                      network-admin

cisco-av-pair     shell:roles="network-admin"

when i so a show user-account, my user is never network-admin, stays at network-operator.

Any idea?

Everyone's tags (4)
3 REPLIES
Cisco Employee

Re: ACS 5.1 Tacacs+ Nexus 5000

Hello,

There is a known bug w.r.t authorization in 4.x versions of the nexus code. As a workaround, try the following under the aaa server group .

use-vrf default  ( or management depending on which vrf is used to reach the aaa server ).

The attribute should be cisco-av-pair=shell:roles  and the value should be network-admin.

Thanks,

Mani

New Member

Re: ACS 5.1 Tacacs+ Nexus 5000

Hi , is this the correct format, how to apply

Attribute: cisco-av-pair*shell:roles

Value:"network-operator"

in ACS4.x we assigned under custome attribute:

cisco-av-pair*shell:roles="network-operator"

Thx

Hubert

Cisco Employee

Re: ACS 5.1 Tacacs+ Nexus 5000

Hello,

Just


attribute - shell:roles

requirement - optional

value - network-operator

should do.. I have been using this all the time with no problems. I believe the format you have been using should also work. In any case , be aware that the other AV pairs that I see in your shell profile might break nexus as nexus might not understand some of those attributes. You could either make all those attributes optional ( so any device which doesn't understand those attributes will ignore them ) or you could create separate shell profiles for IOS and nexus and tie them to access policies based on which NDG the request is coming from.

Thanks,

Mani

3247
Views
0
Helpful
3
Replies