Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS4.2, NX-OS and Cisco AV-Pair Question

Hi,

I have some Nexus switches deployed in my network.  They are authenticating user access via TACACS/ACS (4.2).  I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability.  Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :

shell:roles=“network-operator vdc-admin”

Can anyone help me to understand specifically how to get this configured.  I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured.  I have been through the ACS admin guide but its not clear to me.

Many Thanks

RK

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

You can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"

8 REPLIES

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

You can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"

Community Member

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Hi Javier,

That worked perfectly.

Thanks very much

RK

Community Member

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Hi Javier

I've the same problem. I configured everything as you recommended in your posting, but i still end up in the deault role "network-operator"

ACS 4.2 Configuration:

user config

shell exec (enabled)

shell:roles*"network-admin"

After Login - the output of the command "show user-account" says:

user:ude3964
        roles:network-operator
account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3
tacacs-server host 172.28.193.34 key 7 "wg$yscmfv1"
tacacs-server host 172.28.193.35 key 7 "wg$yscmfv1"
aaa group server tacacs+ tacacs
    server 172.28.193.35
    source-interface Vlan501

In the debug aaa all - there is not much to see. NX-OS in this case is not as good as IOS.

In the ACS passed Authentication Report everything looks fine.

Do you have any idea how to go further?

Cheers

Patrick

Community Member

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

We are using both IOS en NX-OS switches.  The av-pair  used for  IOS = shell:priv-lvl-15 and for NX-OS shell:role*"network-admin"   After configuring ;

" cisco av-pair = shell:priv-lvl-15 shell:role*"network-admin"  "  I can login on de IOS switch in enable mode en only network-operator mode on the NX-OS.

After configuring;  "cisco av-pair =shell:role*"network-admin" shell:priv-lvl-15 "  only NX-OS as network-admin  and IOS in exec mode

Do you have any idea how to configure the correct config for av-pair for NX-OS and IOS switches

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Can you capture the traffic between the TACACS+ server and the switches and post it here, so we can see what is actually being sent?

You will want to capture both instances, ie, when NX-OS works right and when IOS works right.

Cisco Employee

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Try removing:

aaa authorization config-commands default group tacacs
aaa  authorization commands default group tacacs

I believe with Nexus you can only do rbac OR command authorization not both.

Community Member

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Does anybody know if this can be done in ACS 5.1 as I am looking for TACACS+ VSA options to do this, but all I can find is RADIUS VSA options to be configured?

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

You can send custom AV pairs with ACS 5.1, by creating a custom shell profile under policy elements, then you would tie this shell profile to an authorization policy.

6036
Views
15
Helpful
8
Replies
CreatePlease to create content