Solved: Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues

Giovanni Ceci · ‎06-23-2011

Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.

I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.

When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).

So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.

Has anyone ever run into this problem? Please Help!

Thanks,

neocec

Tarik Admani · ‎06-29-2011

This is a common issue when mixing authorization policies with RBAC and IOS devices, the av-pair that you created needs to be set to "optional" instead of "mandatory", please make this change and you will be able to get access to all your devices.

Thanks,

Tarik

View solution in original post

Tarik Admani · ‎06-29-2011

This is a common issue when mixing authorization policies with RBAC and IOS devices, the av-pair that you created needs to be set to "optional" instead of "mandatory", please make this change and you will be able to get access to all your devices.

Thanks,

Tarik

Giovanni Ceci · ‎07-06-2011

Hey Tarik,

You are a genius! This solution totally worked! I can't thank you enough. Can't believe it was that simple! 5 Stars!!

Do you know if there's any Cisco documentation out there that states this?

Thanks,

Neocec

Tarik Admani · ‎07-14-2011

Neocec,

Yes here is the documentation that provides insight to the this (they make reference to the = and the *.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433

Thanks,

Tarik

rpettus75 · ‎03-08-2012

Tarik,

Have you seen any issues with Tacacs and Nexus switches where you get an error stating "

Remote AAA servers unreachable;" but when you look at the ACS logs I see successful authentication for that user. I'm stumped!

Thanks,

Robert

Marlon Malinao · ‎06-03-2012

Hi, Giovanni Ceci

Can you show me how did you create your shell profile, and Authorization Policy to be used both by IOS and NX-OS?

thanks,

Marlon

Neal Gravatt · ‎06-29-2012

Here is how to create the shell profile so your users will have network-admin privlidges.
I am using ACS v5.3 and nexus 5ks running code 5.1.3

I h

Marlon Malinao · ‎08-06-2012

Thanks Neal. this is great screen capture.

ar · ‎09-10-2012

Hi Guys.

What should be the optimal ACS version to support both IOS and NX-OS?

I may also include ASR 5Ks.

Thanks

Tarik Admani · ‎09-10-2012

Allan,

ACS 5.3 will be your best option, all version support all of the IOS, NX-OS, and IOS-XR, and even CRS. Its a matter of sending the proper task-group av/pairs back in the authorization profile.

Thanks,

Tarik Admani
*Please rate helpful posts*

miguelfilipe2001 · ‎07-05-2015

I have the same problem too, i hope your statement works for me... I´ll update tomorrow about the results..