Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS 5.4 and Nexus 7000

Hi

 

I am trying to configure my Cisco ACS 5.4 via TACACS for Nexus 7000 (NXOS 6.2(2)).  Following this documentation

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

But when logging into config mode i am limited to 4 commands on the Nexus 7000

no  Negate a command or set its defaults
username  Configure user information.
end       Go to exec mode
exit      Exit from command interpreter

But when utilizing IOS Privledge level 15 (shell profile custom task default/max 15) I have 83 main commands.

Can you let me know if there is an ACS version dependency or better approach to configuring ACS for Nexus?

Thanks.

13 REPLIES
Cisco Employee

What role are you pushing for

What role are you pushing for your user account? Can you please provide the output of 

show user-account

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
New Member

I cannot retrieve this

I cannot retrieve this information in config mode.  But in enable mode I am a vdc operator?

 

GW-CR-CORE-NX7010-1# sh user-account
user:admin
        this user account has no expiry date
        roles:vdc-admin
user:yi.jin
        roles:vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
user:tuyen.nguyen
        roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
GW-CR-CORE-NX7010-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
GW-CR-CORE-NX7010-1(config)# ?
  no        Negate a command or set its defaults
  username  Configure user information.
  end       Go to exec mode
  exit      Exit from command interpreter

I think I need to modify

shell:roles*"network-admin vdc-admin"

to

shell:roles*"network-admin,vdc-admin"

 

 

Cisco Employee

You're not getting the

You're not getting the required role and that is the only reason you are unable to see/execute all the commands. You don't need to use (,) between "network-admin vdc-admin". I guess you are not hitting the right authorization rule under device administration. Please check the monitoring and reports > tacacs authorization for further details.

Use the debug tacacs+ all  and debug aaa authorization command to enable the trace.

Log in the user again, and collect the debug trace.

The trace should contain information for further investigation.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
New Member

Thanks for the feedback.  I

Thanks for the feedback.  I inserted a comma, based upon linke below and it fixated the issue.

 

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

Hi, Tuyen. I have a question:

Hi, Tuyen. I have a question:

How did you introduce the custom attributes in shell profile? Were you able to introduce an attribute with quotation marks? I get logged out just after submitting...

Regards,

Ivan

Cisco Employee

Ivan,There was defect on this

Ivan,

There was defect on this topic:

CSCug53703     Authorization profile with double quotes, ACS getting logged out.

This has been fixed in ACS 5.4 patch 4 and later.

What version are you running?

- Jatin

~BR Jatin Katyal **Do rate helpful posts**

It seems to be hitting a

It seems to be hitting a similar problem on later versions. Our version is 5.4.0.46.6.

Maybe it was solved for Authorization profile but it is not for Shell Profiles.

Thanks for the tip, Jatin!! I found the bug:

https://tools.cisco.com/bugsearch/bug/CSCut06874/?referring_site=ss

Cisco Employee

Try this:

Try this:

copy paste these characters and don't enter it via keyboard it is not considered as a valid use case.

Let me know how it goes.

- Jatin

~BR Jatin Katyal **Do rate helpful posts**

Thanks Jatin, but it is the

Thanks Jatin, but it is the same behaviour, I tried copying the parameters from this link with the same result:

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

I tried to use ' instead of " and it does not even add the attribute to the list. Any other idea?

New Member

Hi Ivan

Hi Ivan

I used the following to fix my issue.  Hope it helps

cisco-av-pair=shell:roles*”network-admin,vdc-admin”

Hi Tuyen,

Hi Tuyen,

Which is your ACS version (5.4.X.Y.Z)?

When I try to submit the attribute with double quote character, I get logged out.

New Member

We previously had 5-4-0-46-8

We previously had 5-4-0-46-8 when we encountered issue.

Hi Jatin,

Hi Jatin,

I copy the end of the GET string that the explorer is sending to ACS:

&contextData.inputMethod=EDIT&commonTaskAttrList=Assigned+Privilege+Level%09Mandatory%091&commonTaskAttrList=Max+Privilege+Level%09Mandatory%0915&customAttrListType=Static&customAttrList=cisco-av-pair%09Mandatory%09shell%3Aroles%3D%22network-admin%22

%22 is the correct encoding for double quote, so the problem must be in the ACS server, maybe it is filtering too much the input of GET parameters...

260
Views
4
Helpful
13
Replies
CreatePlease to create content