cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7597
Views
15
Helpful
10
Replies
Highlighted
Beginner

Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues

Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.

I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.

When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).

So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.

Has anyone ever run into this problem? Please Help!

Thanks,

neocec

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

This is a common issue when mixing authorization policies with RBAC and IOS devices, the av-pair that you created needs to be set to "optional" instead of "mandatory", please make this change and you will be able to get access to all your devices.

Thanks,

Tarik

View solution in original post

10 REPLIES 10
Highlighted
Advocate

This is a common issue when mixing authorization policies with RBAC and IOS devices, the av-pair that you created needs to be set to "optional" instead of "mandatory", please make this change and you will be able to get access to all your devices.

Thanks,

Tarik

View solution in original post

Highlighted

Hey Tarik,

You are a genius! This solution totally worked! I can't thank you enough. Can't believe it was that simple! 5 Stars!!

Do you know if there's any Cisco documentation out there that states this?

Thanks,

Neocec

Highlighted

Neocec,

Yes here is the documentation that provides insight to the this (they make reference to the = and the *.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433

Thanks,

Tarik

Highlighted

Tarik,

Have you seen any issues with Tacacs and Nexus switches where you get an error stating "

Remote AAA servers unreachable;" but when you look at the ACS logs I see successful authentication for that user.  I'm stumped!

Thanks,

Robert

Highlighted

Hi, Giovanni Ceci

Can you show me how did you create your shell profile, and Authorization Policy to be used both by IOS and NX-OS?

thanks,

Marlon

Highlighted

Here is how to create the shell profile so your users will have network-admin privlidges.
I am using ACS v5.3 and nexus 5ks running code 5.1.3

I h

Highlighted

Thanks Neal. this is great screen capture.

Highlighted

Hi Guys.

What should be the optimal ACS version to support both IOS and NX-OS?

I may also include ASR 5Ks.

Thanks

Highlighted

Allan,

ACS 5.3 will be your best option, all version support all of the IOS, NX-OS, and IOS-XR, and even CRS. Its a matter of sending the proper task-group av/pairs back in the authorization profile.

Thanks,

Tarik Admani
*Please rate helpful posts*

Highlighted

I have the same problem too, i hope your statement works for me... I´ll update tomorrow about the results..