https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393913#M88579 <HTML><HEAD></HEAD><BODY><P>Jenny - Thanks for the info.</P><P>So, if you are mentioning taht the most restrictive takes place, does that mean if you choose DenyAll then you will not be able to issue any command regardless of your role?</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Thu, 23 Jan 2014 05:14:01 GMT Amjad Abdullah 2014-01-23T05:14:01Z https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393910#M88576 <P>There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required. </P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-14273" target="_blank">https://supportforums.cisco.com/docs/DOC-14273</A></P><P></P><P></P><P>In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS. </P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/3/8/177831-ACS_Shell%20Profile.png" alt="ACS_Shell Profile.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P> Mon, 11 Mar 2019 04:18:30 GMT https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393910#M88576 jenny conlan 2019-03-11T04:18:30Z https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393911#M88577 <HTML><HEAD></HEAD><BODY><P>I think the command set does not matter.</P><P>Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.</P><P></P><P>I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.</P><P></P><P>What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?</P><P></P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Wed, 22 Jan 2014 05:20:39 GMT https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393911#M88577 Amjad Abdullah 2014-01-22T05:20:39Z https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393912#M88578 <HTML><HEAD></HEAD><BODY><P>Amjad - thank you for post. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>The first thing I found was the Command Set feature is customizeable - it can be removed by:</P><PRE>“On Access Policies&gt;Authorization&gt; Click customize, and remove the command set from the selected side, as you do not wish to use commands sets.”</PRE><P></P><P><SPAN style="font-size: 10pt;">The second thing is when both the Shell Profile and the Command Set are used together - the most restrictive takes precedence. I applied a PermitAll command set but was still limited tothe premsisions set forth inthesan-admin NX-OS role, </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Wed, 22 Jan 2014 15:53:53 GMT https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393912#M88578 jenny conlan 2014-01-22T15:53:53Z https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393913#M88579 <HTML><HEAD></HEAD><BODY><P>Jenny - Thanks for the info.</P><P>So, if you are mentioning taht the most restrictive takes place, does that mean if you choose DenyAll then you will not be able to issue any command regardless of your role?</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Thu, 23 Jan 2014 05:14:01 GMT https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393913#M88579 Amjad Abdullah 2014-01-23T05:14:01Z https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393914#M88580 <HTML><HEAD></HEAD><BODY><P> In this instance with the Nexus 5K - if I chose DenyAll as the CommandSet - I get denied right away.</P><P></P><P>SWITCH2# conf t</P><P>Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)</P><P>SWITCH# sh run</P><P>Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)</P></BODY></HTML> Thu, 23 Jan 2014 20:40:49 GMT https://community.cisco.com/t5/network-access-control/configuring-acs-5-4-to-authenticate-role-based-access-control/m-p/2393914#M88580 jenny conlan 2014-01-23T20:40:49Z