Re: ACS4.2, NX-OS und Cisco AV-Pair

pat1848 · ‎04-28-2010

Hi

Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus

I attached the main configuration for this feature.

Does anybody has an idea where the problem could be found.

Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS

ACS 4.2 Configuration:

User Config:

shell exec (enabled)

shell:roles*"network-admin" (actually i tried also the shell:roles="network-admin")

After Login - the output of the command "show user-account" says:

user:ude3964
roles:network-operator
account created through REMOTE authentication

AAA Configuration:

rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+

tacacs-server timeout 3

tacacs-server host 172.28.193.35 key 7 "xx"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501

In the ACS passed Authentication Report everything looks fine.

Any hints?

Cheers

Patrick

Javier Henderson · ‎04-28-2010

On ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.

Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back.