topic Re: ACS4.2, NX-OS and Cisco AV-Pair Question in Network Access Control

ACS4.2, NX-OS and Cisco AV-Pair Question

rkoudmani — Mon, 11 Mar 2019 00:04:18 GMT

Hi,

I have some Nexus switches deployed in my network. They are authenticating user access via TACACS/ACS (4.2). I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability. Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :

shell:roles=“network-operator vdc-admin”

Can anyone help me to understand specifically how to get this configured. I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured. I have been through the ACS admin guide but its not clear to me.

Many Thanks

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Javier Henderson — Mon, 19 Apr 2010 16:32:29 GMT

You can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

rkoudmani — Tue, 20 Apr 2010 10:32:32 GMT

Hi Javier,

That worked perfectly.

Thanks very much

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

pat1848 — Tue, 27 Apr 2010 06:44:32 GMT

Hi Javier

I've the same problem. I configured everything as you recommended in your posting, but i still end up in the deault role "network-operator"

ACS 4.2 Configuration:

user config

shell exec (enabled)

shell:roles*"network-admin"

After Login - the output of the command "show user-account" says:

user:ude3964
roles:network-operator
account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3
tacacs-server host 172.28.193.34 key 7 "wg$yscmfv1"
tacacs-server host 172.28.193.35 key 7 "wg$yscmfv1"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501

In the debug aaa all - there is not much to see. NX-OS in this case is not as good as IOS.

In the ACS passed Authentication Report everything looks fine.

Do you have any idea how to go further?

Cheers

Patrick

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

fwim — Thu, 10 Jun 2010 13:15:28 GMT

We are using both IOS en NX-OS switches. The av-pair used for IOS = shell:priv-lvl-15 and for NX-OS shell:role*"network-admin" After configuring ;

" cisco av-pair = shell:priv-lvl-15 shell:role*"network-admin" " I can login on de IOS switch in enable mode en only network-operator mode on the NX-OS.

After configuring; "cisco av-pair =shell:role*"network-admin" shell:priv-lvl-15 " only NX-OS as network-admin and IOS in exec mode

Do you have any idea how to configure the correct config for av-pair for NX-OS and IOS switches

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Javier Henderson — Thu, 10 Jun 2010 13:24:25 GMT

Can you capture the traffic between the TACACS+ server and the switches and post it here, so we can see what is actually being sent?

You will want to capture both instances, ie, when NX-OS works right and when IOS works right.

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Elly Bornstein — Fri, 11 Jun 2010 18:21:01 GMT

Try removing:

aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs

I believe with Nexus you can only do rbac OR command authorization not both.

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Nicholas Poole — Thu, 18 Nov 2010 13:50:26 GMT

Does anybody know if this can be done in ACS 5.1 as I am looking for TACACS+ VSA options to do this, but all I can find is RADIUS VSA options to be configured?

Re: ACS4.2, NX-OS and Cisco AV-Pair Question

Javier Henderson — Thu, 18 Nov 2010 13:55:06 GMT

You can send custom AV pairs with ACS 5.1, by creating a custom shell profile under policy elements, then you would tie this shell profile to an authorization policy.