cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

636
Views
4
Helpful
13
Replies
Highlighted
Beginner

Cisco ACS 5.4 and Nexus 7000

Hi

 

I am trying to configure my Cisco ACS 5.4 via TACACS for Nexus 7000 (NXOS 6.2(2)).  Following this documentation

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

But when logging into config mode i am limited to 4 commands on the Nexus 7000

no  Negate a command or set its defaults
username  Configure user information.
end       Go to exec mode
exit      Exit from command interpreter

But when utilizing IOS Privledge level 15 (shell profile custom task default/max 15) I have 83 main commands.

Can you let me know if there is an ACS version dependency or better approach to configuring ACS for Nexus?

Thanks.

13 REPLIES 13
Highlighted
Cisco Employee

What role are you pushing for

What role are you pushing for your user account? Can you please provide the output of 

show user-account

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin Katyal
Highlighted
Beginner

I cannot retrieve this

I cannot retrieve this information in config mode.  But in enable mode I am a vdc operator?

 

GW-CR-CORE-NX7010-1# sh user-account
user:admin
        this user account has no expiry date
        roles:vdc-admin
user:yi.jin
        roles:vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
user:tuyen.nguyen
        roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
GW-CR-CORE-NX7010-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
GW-CR-CORE-NX7010-1(config)# ?
  no        Negate a command or set its defaults
  username  Configure user information.
  end       Go to exec mode
  exit      Exit from command interpreter

I think I need to modify

shell:roles*"network-admin vdc-admin"

to

shell:roles*"network-admin,vdc-admin"

 

 

Highlighted
Cisco Employee

You're not getting the

You're not getting the required role and that is the only reason you are unable to see/execute all the commands. You don't need to use (,) between "network-admin vdc-admin". I guess you are not hitting the right authorization rule under device administration. Please check the monitoring and reports > tacacs authorization for further details.

Use the debug tacacs+ all  and debug aaa authorization command to enable the trace.

Log in the user again, and collect the debug trace.

The trace should contain information for further investigation.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin Katyal
Highlighted
Beginner

Thanks for the feedback.  I

Thanks for the feedback.  I inserted a comma, based upon linke below and it fixated the issue.

 

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

Highlighted

Hi, Tuyen. I have a question:

Hi, Tuyen. I have a question:

How did you introduce the custom attributes in shell profile? Were you able to introduce an attribute with quotation marks? I get logged out just after submitting...

Regards,

Ivan

Highlighted
Cisco Employee

Ivan,There was defect on this

Ivan,

There was defect on this topic:

CSCug53703     Authorization profile with double quotes, ACS getting logged out.

This has been fixed in ACS 5.4 patch 4 and later.

What version are you running?

- Jatin

~Jatin Katyal
Highlighted

It seems to be hitting a

It seems to be hitting a similar problem on later versions. Our version is 5.4.0.46.6.

Maybe it was solved for Authorization profile but it is not for Shell Profiles.

Thanks for the tip, Jatin!! I found the bug:

https://tools.cisco.com/bugsearch/bug/CSCut06874/?referring_site=ss

Highlighted
Cisco Employee

Try this:

Try this:

copy paste these characters and don't enter it via keyboard it is not considered as a valid use case.

Let me know how it goes.

- Jatin

~Jatin Katyal
Highlighted

Thanks Jatin, but it is the

Thanks Jatin, but it is the same behaviour, I tried copying the parameters from this link with the same result:

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

I tried to use ' instead of " and it does not even add the attribute to the list. Any other idea?

Highlighted
Beginner

Hi Ivan

Hi Ivan

I used the following to fix my issue.  Hope it helps

cisco-av-pair=shell:roles*”network-admin,vdc-admin”

Highlighted

Hi Tuyen,

Hi Tuyen,

Which is your ACS version (5.4.X.Y.Z)?

When I try to submit the attribute with double quote character, I get logged out.

Highlighted
Beginner

We previously had 5-4-0-46-8

We previously had 5-4-0-46-8 when we encountered issue.

Highlighted

Hi Jatin,

Hi Jatin,

I copy the end of the GET string that the explorer is sending to ACS:

&contextData.inputMethod=EDIT&commonTaskAttrList=Assigned+Privilege+Level%09Mandatory%091&commonTaskAttrList=Max+Privilege+Level%09Mandatory%0915&customAttrListType=Static&customAttrList=cisco-av-pair%09Mandatory%09shell%3Aroles%3D%22network-admin%22

%22 is the correct encoding for double quote, so the problem must be in the ACS server, maybe it is filtering too much the input of GET parameters...