Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring ACS 5.4 to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 via TACACS+

There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required.

https://supportforums.cisco.com/docs/DOC-14273

In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS.

ACS_Shell Profile.png

Everyone's tags (4)
4 REPLIES

Re: Configuring ACS 5.4 to authenticate Role Based Access Contro

I think the command set does not matter.

Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.

I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.

What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

Configuring ACS 5.4 to authenticate Role Based Access Control (R

Amjad - thank you for post.

The first thing I found was the Command Set feature is customizeable - it can be removed by:

“On Access Policies>Authorization> Click customize, and remove the command set from the selected side, as you do not wish to use commands sets.”

The second thing is when both the Shell Profile and the Command Set are used together - the most restrictive takes precedence. I applied a PermitAll command set but was still limited tothe premsisions set forth inthesan-admin NX-OS role,


Re: Configuring ACS 5.4 to authenticate Role Based Access Contro

Jenny - Thanks for the info.

So, if you are mentioning taht the most restrictive takes place, does that mean if you choose DenyAll then you will not be able to issue any command regardless of your role?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

Configuring ACS 5.4 to authenticate Role Based Access Control (R

In this instance with the Nexus 5K - if I chose DenyAll as the CommandSet - I get denied right away.

SWITCH2# conf t

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

SWITCH# sh run

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

1276
Views
2
Helpful
4
Replies