cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
5
Helpful
2
Replies

ACS 4.2 TACACS+ with IOS boxen works fine, but won't allow Nexus to AAA to same server(s)??

rmarosko
Beginner
Beginner

Howdy CSC,

So I am being presented with my second customer in less than 90 days that are running an existing ACS 4.2 AAA system doing AD username/password lookup, and are doing full TACACS+ AAA with IOS boxen, both routers and switches. Everything works fine, everyone is happy.

Now both customers want to add multiple Nexus platforms to the mix... N7Ks, N5Ks, etc.  

Dealing with custom attribute values is not something I normally play with (hey, I'm route/switch, not security!), so of course I come over here to figure out how to make all this stuff work, RTFM, etc.

Everything I see points to adding the custom attribute value "shell:roles=network-admin" to the TACACS+ settings under the user group, which I do. And now the users are able to log into the Nexus equipment and receive the proper user role, that works great.

And now all AAA to IOS boxen are broken. Username/password are sent and verified, then we get kicked out of that IOS box with the error "authorization failed".

I remove the custom attribute from the group, and access to the IOS boxen works again. And of course breaks the Nexus devices.

Just discussing this with some of our security engineers, the general consensus is to do one of the following:

1) Upgrade to ACS 5.x

2) Stand up new ACS 4.2 servers exclusively for the Nexus devices

3) Create/manage separate local usernames/usergroup in the existing ACS 4.2 servers to be used exclusively for the Nexus devices.

Customers are already budget-constrained, so option 1 isn't feasible, same issue for option 2. Option 3 seems most practical at this point, but the customer is not going to like having to remember multiple network management usernames/passwords.

Anyone have any suggestions or alternatives?

2 Replies 2

dherrald
Beginner
Beginner

Ron,

Did you see the post linked below?  Implies you may need to replace the equal sign("=") with an asterisk("*") to achieve desired result.  Might be worth a try.

https://supportforums.cisco.com/thread/2013536

David:

Good answer. +5.

I think that is going to fix the issue.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: