I have a nexus 5020 NX-OS 4.1(3)N2(1) configured for radius server authentication and I have a group "network" in ACS that has the shell:role="network-admin". I have notice that if your in ACS as a user not of my "network" group the Nexus will still allow you to login and run all the show commands. How can I get rid of the default role. I dont want anyone to be able to run show commands by defualt.
I haven't worked with NX-OS yet, so i don't know if this will work with them but if you have grouped the Nexus devices in the ACS in the 'Network Configuration' tab, you can try the following to deny access to them to users.
Once you've grouped them properly, you can then create a 'Network Access Filter' which is found under 'Shared Profile Components', name it and select the group you put your nexus' in.
Then go to the group of the users that you don't want to allow access to the Nexus and in the 'Network Access Restrictions (NAR)' section, look for the 'Per Group Defined Network Access Restrictions' part, select the 'define IP-based access restrictions', select 'Denied Calling/Point of Access Locations' from the 'Table Defines' drop down. In the 'AAA Client' drop down you can select the NDG Nexus group, put a * in 'Port and a * in 'Address' and then add it.
I think you need to restart the ACS service..
See how that goes. I hope I've understood what you're after and if not I apologise.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.