I cannot retrieve this information in config mode.  But in enable mode I am a vdc operator?

GW-CR-CORE-NX7010-1# sh user-account
user:admin
        this user account has no expiry date
        roles:vdc-admin
user:yi.jin
        roles:vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
user:tuyen.nguyen
        roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
GW-CR-CORE-NX7010-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
GW-CR-CORE-NX7010-1(config)# ?
  no        Negate a command or set its defaults
  username  Configure user information.
  end       Go to exec mode
  exit      Exit from command interpreter

I think I need to modify

shell:roles*"network-admin vdc-admin"

to

shell:roles*"network-admin,vdc-admin"

You're not getting the required role and that is the only reason you are unable to see/execute all the commands. You don't need to use (,) between "network-admin vdc-admin". I guess you are not hitting the right authorization rule under device administration. Please check the monitoring and reports > tacacs authorization for further details.

Use the debug tacacs+ all  and debug aaa authorization command to enable the trace.

Log in the user again, and collect the debug trace.

The trace should contain information for further investigation.

Regards,

Jatin Katyal

*Do rate helpful posts*

Thanks for the feedback.  I inserted a comma, based upon linke below and it fixated the issue.

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

Hi, Tuyen. I have a question:

How did you introduce the custom attributes in shell profile? Were you able to introduce an attribute with quotation marks? I get logged out just after submitting...

Regards,

Ivan

Ivan,

There was defect on this topic:

CSCug53703     Authorization profile with double quotes, ACS getting logged out.

This has been fixed in ACS 5.4 patch 4 and later.

What version are you running?

- Jatin

It seems to be hitting a similar problem on later versions. Our version is 5.4.0.46.6.

Maybe it was solved for Authorization profile but it is not for Shell Profiles.

Thanks for the tip, Jatin!! I found the bug:

https://tools.cisco.com/bugsearch/bug/CSCut06874/?referring_site=ss

Try this:

copy paste these characters and don't enter it via keyboard it is not considered as a valid use case.

Let me know how it goes.

- Jatin

Thanks Jatin, but it is the same behaviour, I tried copying the parameters from this link with the same result:

https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct

I tried to use ' instead of " and it does not even add the attribute to the list. Any other idea?

Hi Ivan

I used the following to fix my issue.  Hope it helps

cisco-av-pair=shell:roles*”network-admin,vdc-admin”

Hi Tuyen,

Which is your ACS version (5.4.X.Y.Z)?

When I try to submit the attribute with double quote character, I get logged out.

We previously had 5-4-0-46-8 when we encountered issue.

Hi Jatin,

I copy the end of the GET string that the explorer is sending to ACS:

&contextData.inputMethod=EDIT&commonTaskAttrList=Assigned+Privilege+Level%09Mandatory%091&commonTaskAttrList=Max+Privilege+Level%09Mandatory%0915&customAttrListType=Static&customAttrList=cisco-av-pair%09Mandatory%09shell%3Aroles%3D%22network-admin%22

%22 is the correct encoding for double quote, so the problem must be in the ACS server, maybe it is filtering too much the input of GET parameters...