topic Re: Unable to do changes - Current privilege level: -1 in Network Access Control

Unable to do changes - Current privilege level: -1

ziqex — Thu, 03 Mar 2022 16:07:15 GMT

Hi,

I authenticate with the switch with ACS.

Authentication is successful but I am unable to run show run or make change in configure terminal.

sh privilege
User name: testacc
Current privilege level: -1
Feature privilege: Disabled

sh run
% Permission denied for the role

Hardware
cisco Nexus5548 Chassis

Reason: Reset Requested by CLI command reload
System version: 7.3(7)N1(1b)

Please advise how can I resolve it. Thank you.

Regards,

Daniel

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Thu, 03 Mar 2022 16:08:51 GMT

Current privilege level: -1

change level to 15

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/116236-configure-acs-00.html

Re: Unable to do changes - Current privilege level: -1

ziqex — Thu, 03 Mar 2022 16:12:04 GMT

Exactly the same account has privilege 15 on different devices. Thank you.

show privilege
Current privilege level is 15

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Thu, 03 Mar 2022 17:16:22 GMT

Then what prompt are you in nexus : (another device is nexus ? or IOS ?)

> or #

Re: Unable to do changes - Current privilege level: -1

ziqex — Thu, 03 Mar 2022 17:23:17 GMT

On nexus and ios I'm getting logged in directly to #.

Whereas for nexus I cannot execute sh run command.

Thank you

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Thu, 03 Mar 2022 17:35:00 GMT

IOS works, nexus have network-admin role

check the below config guide and add necessary action :

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

Re: Unable to do changes - Current privilege level: -1

ziqex — Fri, 04 Mar 2022 12:46:19 GMT

I've been following the guide but on the step 5 ACS I cannot create new authorization rule I have only Default rule available and cannot add new one. Create add below and above is blank. Please advise. Thank you

5. Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.

Re: Unable to do changes - Current privilege level: -1

ziqex — Fri, 04 Mar 2022 13:28:32 GMT

I managed to add the new rule. I had to switch to the internet explorer as it did not like chrome for some reason. Thank you for all information provided.

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Fri, 04 Mar 2022 14:19:59 GMT

glad working all good, yes IE is good with ACS, some how cisco ACS not work with chrome as expected (forgot to mentioned)

Re: Unable to do changes - Current privilege level: -1

ziqex — Tue, 08 Mar 2022 08:45:42 GMT

I managed to view the running config after correct value to the shell profile (Value: shell:roles*"network-admin vdc-admin").

Unfortunately, I cannot make any configuration changes as getting the AAA authorisation error.

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

Any advice how to resolve it? Thanks

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Tue, 08 Mar 2022 09:48:25 GMT

how does your AAA config looks like in nexus add below command : ( Do not lockup yourself. make sure you have fall back to Locla account)

aaa authorization config-commands default group radius_servers (radisu_servers your group)

Re: Unable to do changes - Current privilege level: -1

ziqex — Tue, 08 Mar 2022 09:52:14 GMT

the current aaa config is as below

sh run aaa

!Command: show running-config aaa

version 7.3(7)N1(1b)
aaa authentication login default group ACS_Servers local
aaa authentication login console local
aaa authorization config-commands default group ACS_Servers

Thanks

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Tue, 08 Mar 2022 15:53:21 GMT

Can you post ACS_Servers information

Re: Unable to do changes - Current privilege level: -1

ziqex — Tue, 08 Mar 2022 15:56:28 GMT

aaa group server tacacs+ ACS_Servers
server 10.94.1.28
server 10.94.2.30

thanks

Re: Unable to do changes - Current privilege level: -1

ziqex — Tue, 08 Mar 2022 16:03:25 GMT

We have also tried stopping ACS authentication and using local account (authentication was successful but could not make changes) but still could not make changes to the configuration.

The local account has role network-admin assigned to it.

Thanks,

Daniel

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Tue, 08 Mar 2022 16:43:13 GMT

have this configuration written ?

In this case Looks like it locked up now, you have only Option here is console, try connect to console , since it confgured as local.

Re: Unable to do changes - Current privilege level: -1

ziqex — Wed, 09 Mar 2022 08:33:37 GMT

I still have remote access to the device. Is there any command that will allow me to have option to change configuration?

In the current state I can only view show commands.

Thanks

Re: Unable to do changes - Current privilege level: -1

balaji.bandi — Wed, 09 Mar 2022 12:43:53 GMT

if you have remote access, are you using local account or radius loging ?

do you have any config command access :

post aaa command information what configured

Re: Unable to do changes - Current privilege level: -1

ziqex — Wed, 09 Mar 2022 12:48:17 GMT

I am using account that was created in ACS, it has Value: shell:roles*"network-admin vdc-admin" assigned to the shell profile.

It still prevents me from creating new vlans in the configuration mode. Thanks

sh run aaa

!Command: show running-config aaa

aaa authentication login default group ACS_Servers local
aaa authentication login console local
aaa authorization config-commands default group ACS_Servers