I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code. I seem to have ACS setup correctly based on documentation I received through here. The problem is that the NX/OS doesnt seem to be operating as expected. I performed a debug on the Nexus and received the following output:
2011 Feb8 07:04:23.228039 tacacs: tplus_decode_author_response: exiting for aaa session: 0
Yes - in this scenario I do get put into Network-Admin role but that is based on priv and not the roles AV setting. This is important because I have other roles that need assigning (ie VDC-Admin and "READ_CONFIG" which is adding through the CLI)
So I figured that setting the Privilege level was causing my problem and reran the same test:
2011 Feb8 07:10:24.052767 tacacs: tplus_decode_author_response: entering for aaa session: 0
I'm also blocked by this kind of custom attributes.
We are migrating from TACACS 4.1 to 5.2, but the fields Custom Attributes Shell Exec have disapeared.
In attachment, I've put 2 screenshot.
The config for v4.1 is running, but it's impossible for me to have this config well working on the v5.2.
In 4.1, in user creation/edition, we check the "Shell (exec)" checkbox, then the "Custom attributes" checkbox, and put one or several lines of parameters. In my exemple, for Nexus, the working line for v4.1 is the following :
On TACACS 5.2, I've add a new field in User attributes by going into :
Whatever the parameter I set, result is always the same when I perform a sh user-account on Nexus ...
Nexus# sh user-account user:em739 roles:vdc-operator account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible
The good results (like with v4.1) should be :
Nexus# sh user-account user:em739 roles:network-admin account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible