Solved: ACS 5.2 with UCS 1.4

daveburns43 · ‎08-19-2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.

When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).

is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

jintao99 · ‎10-05-2011

In case anyone interested, I got it working. The trick is to match the attribute and value as below. And these seems to be same for all Nexus related products.

View solution in original post

Nicolas Darchis · ‎08-22-2011

It's very product dependant. I know nothing about UCS but I know about ACS :-)

So the attribute you should return is configured as "role" for the attribute name and "admin" as the value.

This document is not about UCS but WCS uses the same av-pairs giving roles so you might get inspiration from that doc.

https://supportforums.cisco.com/docs/DOC-17909

Hope it helps :-)

daveburns43 · ‎08-22-2011

while i appreciate the referral, i have tried every permutation of role, roles, Role, role0, role1, etc. with admin, Admin, aaa, etc. as the "mandatory attribute" ...but every time I authenticate via my tacacs login, I get read-only. If I login using a local account, i get whatever role I assigned myself in the UCS manager software.

I would post this question in the UCS forum, but as I mentioned in my original post, I have this exact problem with the WS-SVC-NAM2s I use authenticating against this ACS via tacacs. So I'm relatively certain it's an ACS configuration issue, and not a problem on the UCS side of the house.

jintao99 · ‎10-04-2011

Hi David,

I got the same issue with you, only got read-only access. Were you able to figure it out?

Thanks,

Tao

jintao99 · ‎10-05-2011

In case anyone interested, I got it working. The trick is to match the attribute and value as below. And these seems to be same for all Nexus related products.

robertlinquist · ‎12-01-2011

The picture link for your solution is broken. What is the syntax? Thanks!

jintao99 · ‎12-01-2011

Attribute: shell:roles

Requirement: Mandatory

Value: admin

Hope this helps. FYI, as far as I can see, the screenshot is still there.

daveburns43 · ‎10-05-2011

That is great! shell:roles worked for me as well. now hopefully a similar trick with work for the NAM..

thanks!

jasonfaraone · ‎02-06-2012

When I set this on my generic admin shell profile, it prevents me from defaulting to enable mode (priv 15) on my network devices. I can type "enable", enter my password when prompted, and enter enable mode, but I'd like this to happen automatically, as it did before I made this shell profile change.

Any ideas?