https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161054#M123678 <P>Howdy CSC,</P><P></P><P>So I am being presented with my second customer in less than 90 days that are running an existing ACS 4.2 AAA system doing AD username/password lookup, and are doing full TACACS+ AAA with IOS boxen, both routers and switches. Everything works fine, everyone is happy.</P><P></P><P>Now both customers want to add multiple Nexus platforms to the mix... N7Ks, N5Ks, etc.&nbsp;&nbsp; </P><P></P><P>Dealing with custom attribute values is not something I normally play with (hey, I'm route/switch, not security!), so of course I come over here to figure out how to make all this stuff work, RTFM, etc.</P><P></P><P>Everything I see points to adding the custom attribute value "shell:roles=network-admin" to the TACACS+ settings under the user group, which I do. And now the users are able to log into the Nexus equipment and receive the proper user role, that works great.</P><P></P><P>And now all AAA to IOS boxen are broken. Username/password are sent and verified, then we get kicked out of that IOS box with the error "authorization failed".</P><P></P><P>I remove the custom attribute from the group, and access to the IOS boxen works again. And of course breaks the Nexus devices.</P><P></P><P>Just discussing this with some of our security engineers, the general consensus is to do one of the following:</P><P></P><P>1) Upgrade to ACS 5.x</P><P>2) Stand up new ACS 4.2 servers exclusively for the Nexus devices</P><P>3) Create/manage separate local usernames/usergroup in the existing ACS 4.2 servers to be used exclusively for the Nexus devices.</P><P></P><P>Customers are already budget-constrained, so option 1 isn't feasible, same issue for option 2. Option 3 seems most practical at this point, but the customer is not going to like having to remember multiple network management usernames/passwords.</P><P></P><P>Anyone have any suggestions or alternatives?</P> Mon, 11 Mar 2019 03:10:15 GMT rmarosko 2019-03-11T03:10:15Z https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161054#M123678 <P>Howdy CSC,</P><P></P><P>So I am being presented with my second customer in less than 90 days that are running an existing ACS 4.2 AAA system doing AD username/password lookup, and are doing full TACACS+ AAA with IOS boxen, both routers and switches. Everything works fine, everyone is happy.</P><P></P><P>Now both customers want to add multiple Nexus platforms to the mix... N7Ks, N5Ks, etc.&nbsp;&nbsp; </P><P></P><P>Dealing with custom attribute values is not something I normally play with (hey, I'm route/switch, not security!), so of course I come over here to figure out how to make all this stuff work, RTFM, etc.</P><P></P><P>Everything I see points to adding the custom attribute value "shell:roles=network-admin" to the TACACS+ settings under the user group, which I do. And now the users are able to log into the Nexus equipment and receive the proper user role, that works great.</P><P></P><P>And now all AAA to IOS boxen are broken. Username/password are sent and verified, then we get kicked out of that IOS box with the error "authorization failed".</P><P></P><P>I remove the custom attribute from the group, and access to the IOS boxen works again. And of course breaks the Nexus devices.</P><P></P><P>Just discussing this with some of our security engineers, the general consensus is to do one of the following:</P><P></P><P>1) Upgrade to ACS 5.x</P><P>2) Stand up new ACS 4.2 servers exclusively for the Nexus devices</P><P>3) Create/manage separate local usernames/usergroup in the existing ACS 4.2 servers to be used exclusively for the Nexus devices.</P><P></P><P>Customers are already budget-constrained, so option 1 isn't feasible, same issue for option 2. Option 3 seems most practical at this point, but the customer is not going to like having to remember multiple network management usernames/passwords.</P><P></P><P>Anyone have any suggestions or alternatives?</P> Mon, 11 Mar 2019 03:10:15 GMT https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161054#M123678 rmarosko 2019-03-11T03:10:15Z https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161055#M123679 <HTML><HEAD></HEAD><BODY><P>Ron,</P><P></P><P>Did you see the post linked below?&nbsp; Implies you may need to replace the equal sign("=") with an asterisk("*") to achieve desired result.&nbsp; Might be worth a try.</P><P></P><P><A class="jive-link-external-small" href="https://community.cisco.com/thread/2013536">https://supportforums.cisco.com/thread/2013536</A><SPAN> </SPAN></P></BODY></HTML> Fri, 08 Mar 2013 21:11:18 GMT https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161055#M123679 dherrald 2013-03-08T21:11:18Z https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161056#M123680 <HTML><HEAD></HEAD><BODY><P>David:</P><P></P><P>Good answer. +5.</P><P></P><P>I think that is going to fix the issue.</P><P></P><P>Regards,</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Sat, 09 Mar 2013 09:26:12 GMT https://community.cisco.com/t5/network-access-control/acs-4-2-tacacs-with-ios-boxen-works-fine-but-won-t-allow-nexus/m-p/2161056#M123680 Amjad Abdullah 2013-03-09T09:26:12Z