ACS 5.1 Tacacs+ Nexus 5000

conradduval1 · ‎09-13-2010

Hello,

Am having somes problems changing the role of my AD validated user on my nexus.

Users are validated against AD then am trying to push AVpair attribut to change the user role to network-admin.

All setting are getting assign to my user ( access profile, shell etc )

i tried the following custom attribut in my shell profle:

Attribute Value

shell roles="network-admin"

shell roles=network-admin

shell:roles "network-admin"

shell:roles network-admin

cisco-av-pair shell:roles="network-admin"

when i so a show user-account, my user is never network-admin, stays at network-operator.

Any idea?

mansrini · ‎09-26-2010

Hello,

There is a known bug w.r.t authorization in 4.x versions of the nexus code. As a workaround, try the following under the aaa server group .

use-vrf default ( or management depending on which vrf is used to reach the aaa server ).

The attribute should be cisco-av-pair=shell:roles and the value should be network-admin.

Thanks,

Mani

HUBERT RESCH · ‎02-14-2011

Hi , is this the correct format, how to apply

Attribute: cisco-av-pair*shell:roles

Value:"network-operator"

in ACS4.x we assigned under custome attribute:

cisco-av-pair*shell:roles="network-operator"

Thx

Hubert

mansrini · ‎02-14-2011

Hello,

Just

attribute - shell:roles

requirement - optional

value - network-operator

should do.. I have been using this all the time with no problems. I believe the format you have been using should also work. In any case , be aware that the other AV pairs that I see in your shell profile might break nexus as nexus might not understand some of those attributes. You could either make all those attributes optional ( so any device which doesn't understand those attributes will ignore them ) or you could create separate shell profiles for IOS and nexus and tie them to access policies based on which NDG the request is coming from.

Thanks,

Mani