AAA Role Based in Nexus

matthew.huber · ‎02-07-2011

I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code. I seem to have ACS setup correctly based on documentation I received through here. The problem is that the NX/OS doesnt seem to be operating as expected. I performed a debug on the Nexus and received the following output:

2011 Feb 8 07:04:23.227576 tacacs: tplus_decode_author_response: Attributes count 3

2011 Feb 8 07:04:23.227585 tacacs: tplus_decode_author_response: attribute 0 idletime=15

2011 Feb 8 07:04:23.227596 tacacs: tplus_decode_author_response: attribute 1 priv-lvl=15

2011 Feb 8 07:04:23.227606 tacacs: tplus_decode_author_response: attribute 2 roles=Network-Admin

2011 Feb 8 07:04:23.227931 tacacs: tplus_getroles(1937)Feature privilege: Disabled

2011 Feb 8 07:04:23.227959 tacacs: tplus_getroles(1957): privilege level 15, corresponding role is: network-admin

2011 Feb 8 07:04:23.227971 tacacs: tplus_decode_author_response: privilege level 15 is specified and corresponding role is network-admin

2011 Feb 8 07:04:23.228007 tacacs: AAA_RESP: status=2, av_count=2, ctx_len=294, server_msg_len=0, server_data_len=0

2011 Feb 8 07:04:23.228020 tacacs: AAA_RESP: 0 th attribute network-admin

2011 Feb 8 07:04:23.228029 tacacs: AAA_RESP: 1 th attribute XX.XXX.XX.XX

2011 Feb 8 07:04:23.228039 tacacs: tplus_decode_author_response: exiting for aaa session: 0

Yes - in this scenario I do get put into Network-Admin role but that is based on priv and not the roles AV setting. This is important because I have other roles that need assigning (ie VDC-Admin and "READ_CONFIG" which is adding through the CLI)

So I figured that setting the Privilege level was causing my problem and reran the same test:

2011 Feb 8 07:10:24.052767 tacacs: tplus_decode_author_response: entering for aaa session: 0

2011 Feb 8 07:10:24.052788 tacacs: tplus_decode_author_response: Attributes count 2

2011 Feb 8 07:10:24.052797 tacacs: tplus_decode_author_response: attribute 0 idletime=15

2011 Feb 8 07:10:24.052808 tacacs: tplus_decode_author_response: attribute 1 roles=Network-Admin

2011 Feb 8 07:10:24.052825 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority

2011 Feb 8 07:10:24.052855 tacacs: AAA_RESP: status=2, av_count=1, ctx_len=294, server_msg_len=0, server_data_len=0

2011 Feb 8 07:10:24.052867 tacacs: AAA_RESP: 0 th attribute XX.XXX.XX.XX

2011 Feb 8 07:10:24.052876 tacacs: tplus_decode_author_response: exiting for aaa session: 0

But as you can see in the debugs neither works as expected. I am trying to determine if this is a simple config that I am missing or do I need to open a TAC case to be looked at as a bug?

AAA/TACACS config:

aaa authentication login default group TACACS-Servers
aaa accounting default group TACACS-Servers
aaa authentication login error-enable

feature tacacs+

tacacs-server host XX.XXX.XX.XX key REMOVED
aaa group server tacacs+ tacacs
aaa group server tacacs+ TACACS-Servers
server XX.XXX.XX.XX
use-vrf management

Any help would be appreciated.

matthew.huber · ‎02-08-2011

I seem to have it working yet it is not exactly what I call intuitive. In ACS I had to configure the Custom Attributes as

Attribute: cisco-av-pair*shell:roles

Value: network-admin

Any insights would be appreciative. Looks like this is not a bug.

networkservicesdexia · ‎04-04-2011

Hello Matthew,

I'm also blocked by this kind of custom attributes.

We are migrating from TACACS 4.1 to 5.2, but the fields Custom Attributes Shell Exec have disapeared.

In attachment, I've put 2 screenshot.

The config for v4.1 is running, but it's impossible for me to have this config well working on the v5.2.

In 4.1, in user creation/edition, we check the "Shell (exec)" checkbox, then the "Custom attributes" checkbox, and put one or several lines of parameters.
In my exemple, for Nexus, the working line for v4.1 is the following :

shell:roles*network-admin

On TACACS 5.2, I've add a new field in User attributes by going into :

System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users

Create => and I've tried several configurations of Attribute names and values, but without success.

Parameter name (Attribute)       Value
==========================================================
shell:roles                      network-admin
shell:roles                      *network-admin

Custom attributes                shell:roles*network-admin
shell                            shell:roles*network-admin
shell                            roles*network-admin
roles                            network-admin
cisco-av-pair*shell:roles        network-admin

cisco-av-pair*shell roles*network-admin

cisco-av-pair shell:roles*network-admin

Whatever the parameter I set, result is always the same when I perform a sh user-account on Nexus ...

Nexus# sh user-account
user:em739
roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible

The good results (like with v4.1) should be :

Nexus# sh user-account
user:em739
roles:network-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible

Have you find a solution for your problem ?

Thank you very much.

Fred.