Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3949
Views
0
Helpful
2
Replies

AAA Role Based in Nexus

matthew.huber
Beginner
Beginner

‎02-07-2011 11:54 PM - edited ‎03-10-2019 05:48 PM

I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code.  I seem to have ACS setup correctly based on documentation I received through here.  The problem is that the NX/OS doesnt seem to be operating as expected.  I performed a debug on the Nexus and received the following output:

2011 Feb  8 07:04:23.227576 tacacs: tplus_decode_author_response: Attributes count 3

2011 Feb  8 07:04:23.227585 tacacs: tplus_decode_author_response: attribute 0 idletime=15

2011 Feb  8 07:04:23.227596 tacacs: tplus_decode_author_response: attribute 1 priv-lvl=15

2011 Feb  8 07:04:23.227606 tacacs: tplus_decode_author_response: attribute 2 roles=Network-Admin        

2011 Feb  8 07:04:23.227931 tacacs: tplus_getroles(1937)Feature privilege: Disabled

2011 Feb  8 07:04:23.227959 tacacs: tplus_getroles(1957): privilege level 15, corresponding role is: network-admin

2011 Feb  8 07:04:23.227971 tacacs: tplus_decode_author_response: privilege level 15 is specified and corresponding role is network-admin

2011 Feb  8 07:04:23.228007 tacacs: AAA_RESP: status=2, av_count=2, ctx_len=294, server_msg_len=0, server_data_len=0

2011 Feb  8 07:04:23.228020 tacacs: AAA_RESP: 0 th attribute network-admin

2011 Feb  8 07:04:23.228029 tacacs: AAA_RESP: 1 th attribute XX.XXX.XX.XX

2011 Feb  8 07:04:23.228039 tacacs: tplus_decode_author_response: exiting for aaa session: 0

Yes - in this scenario I do get put into Network-Admin role but that is based on priv and not the roles AV setting.  This is important because I have other roles that need assigning (ie VDC-Admin and "READ_CONFIG" which is adding through the CLI)

So I figured that setting the Privilege level was causing my problem and reran the same test:

2011 Feb  8 07:10:24.052767 tacacs: tplus_decode_author_response: entering for aaa session: 0

2011 Feb  8 07:10:24.052788 tacacs: tplus_decode_author_response: Attributes count 2

2011 Feb  8 07:10:24.052797 tacacs: tplus_decode_author_response: attribute 0 idletime=15

2011 Feb  8 07:10:24.052808 tacacs: tplus_decode_author_response: attribute 1 roles=Network-Admin        

2011 Feb  8 07:10:24.052825 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority

2011 Feb  8 07:10:24.052855 tacacs: AAA_RESP: status=2, av_count=1, ctx_len=294, server_msg_len=0, server_data_len=0

2011 Feb  8 07:10:24.052867 tacacs: AAA_RESP: 0 th attribute XX.XXX.XX.XX

2011 Feb  8 07:10:24.052876 tacacs: tplus_decode_author_response: exiting for aaa session: 0

But as you can see in the debugs neither works as expected.  I am trying to determine if this is a simple config that I am missing or do I need to open a TAC case to be looked at as a bug?

AAA/TACACS config:

aaa authentication login default group TACACS-Servers
aaa accounting default group TACACS-Servers
aaa authentication login error-enable

feature tacacs+

tacacs-server host XX.XXX.XX.XX key REMOVED
aaa group server tacacs+ tacacs
aaa group server tacacs+ TACACS-Servers
    server XX.XXX.XX.XX
    use-vrf management

Any help would be appreciated.

Labels:
0 Helpful
2 Replies 2