Solved: Re: ACS4.2, NX-OS and Cisco AV-Pair Question

rkoudmani · ‎04-19-2010

Hi,

I have some Nexus switches deployed in my network. They are authenticating user access via TACACS/ACS (4.2). I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability. Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :

shell:roles=“network-operator vdc-admin”

Can anyone help me to understand specifically how to get this configured. I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured. I have been through the ACS admin guide but its not clear to me.

Many Thanks

RK

Javier Henderson · ‎04-19-2010

You can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"

View solution in original post

Javier Henderson · ‎04-19-2010

You can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.

ie:

shell:roles*"network-admin"

rkoudmani · ‎04-20-2010

Hi Javier,

That worked perfectly.

Thanks very much

RK

pat1848 · ‎04-26-2010

Hi Javier

I've the same problem. I configured everything as you recommended in your posting, but i still end up in the deault role "network-operator"

ACS 4.2 Configuration:

user config

shell exec (enabled)

shell:roles*"network-admin"

After Login - the output of the command "show user-account" says:

user:ude3964
roles:network-operator
account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3
tacacs-server host 172.28.193.34 key 7 "wg$yscmfv1"
tacacs-server host 172.28.193.35 key 7 "wg$yscmfv1"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501

In the debug aaa all - there is not much to see. NX-OS in this case is not as good as IOS.

In the ACS passed Authentication Report everything looks fine.

Do you have any idea how to go further?

Cheers

Patrick

fwim · ‎06-10-2010

We are using both IOS en NX-OS switches. The av-pair used for IOS = shell:priv-lvl-15 and for NX-OS shell:role*"network-admin" After configuring ;

" cisco av-pair = shell:priv-lvl-15 shell:role*"network-admin" " I can login on de IOS switch in enable mode en only network-operator mode on the NX-OS.

After configuring; "cisco av-pair =shell:role*"network-admin" shell:priv-lvl-15 " only NX-OS as network-admin and IOS in exec mode

Do you have any idea how to configure the correct config for av-pair for NX-OS and IOS switches

Javier Henderson · ‎06-10-2010

Can you capture the traffic between the TACACS+ server and the switches and post it here, so we can see what is actually being sent?

You will want to capture both instances, ie, when NX-OS works right and when IOS works right.

Elly Bornstein · ‎06-11-2010

Try removing:

aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs

I believe with Nexus you can only do rbac OR command authorization not both.

Nicholas Poole · ‎11-18-2010

Does anybody know if this can be done in ACS 5.1 as I am looking for TACACS+ VSA options to do this, but all I can find is RADIUS VSA options to be configured?

Javier Henderson · ‎11-18-2010

You can send custom AV pairs with ACS 5.1, by creating a custom shell profile under policy elements, then you would tie this shell profile to an authorization policy.