03-26-2014 12:09 PM - edited 03-10-2019 09:34 PM
Hi
I am trying to configure my Cisco ACS 5.4 via TACACS for Nexus 7000 (NXOS 6.2(2)). Following this documentation
But when logging into config mode i am limited to 4 commands on the Nexus 7000
no Negate a command or set its defaults
username Configure user information.
end Go to exec mode
exit Exit from command interpreter
But when utilizing IOS Privledge level 15 (shell profile custom task default/max 15) I have 83 main commands.
Can you let me know if there is an ACS version dependency or better approach to configuring ACS for Nexus?
Thanks.
03-26-2014 07:52 PM
What role are you pushing for your user account? Can you please provide the output of
show user-account
Regards,
Jatin Katyal
*Do rate helpful posts*
03-26-2014 08:24 PM
I cannot retrieve this information in config mode. But in enable mode I am a vdc operator?
GW-CR-CORE-NX7010-1# sh user-account
user:admin
this user account has no expiry date
roles:vdc-admin
user:yi.jin
roles:vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
user:tuyen.nguyen
roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
GW-CR-CORE-NX7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW-CR-CORE-NX7010-1(config)# ?
no Negate a command or set its defaults
username Configure user information.
end Go to exec mode
exit Exit from command interpreter
I think I need to modify
shell:roles*"network-admin vdc-admin"
to
shell:roles*"network-admin,vdc-admin"
03-26-2014 08:51 PM
You're not getting the required role and that is the only reason you are unable to see/execute all the commands. You don't need to use (,) between "network-admin vdc-admin". I guess you are not hitting the right authorization rule under device administration. Please check the monitoring and reports > tacacs authorization for further details.
Use the debug tacacs+ all and debug aaa authorization command to enable the trace.
Log in the user again, and collect the debug trace.
The trace should contain information for further investigation.
Regards,
Jatin Katyal
*Do rate helpful posts*
03-27-2014 12:05 PM
Thanks for the feedback. I inserted a comma, based upon linke below and it fixated the issue.
https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct
01-14-2016 10:00 AM
Hi, Tuyen. I have a question:
How did you introduce the custom attributes in shell profile? Were you able to introduce an attribute with quotation marks? I get logged out just after submitting...
Regards,
Ivan
01-14-2016 10:22 AM
Ivan,
There was defect on this topic:
CSCug53703 Authorization profile with double quotes, ACS getting logged out.
This has been fixed in ACS 5.4 patch 4 and later.
What version are you running?
- Jatin
01-14-2016 10:39 AM
It seems to be hitting a similar problem on later versions. Our version is 5.4.0.46.6.
Maybe it was solved for Authorization profile but it is not for Shell Profiles.
Thanks for the tip, Jatin!! I found the bug:
https://tools.cisco.com/bugsearch/bug/CSCut06874/?referring_site=ss
01-14-2016 10:43 AM
Try this:
copy paste these characters and don't enter it via keyboard it is not considered as a valid use case.
Let me know how it goes.
- Jatin
01-15-2016 02:44 AM
Thanks Jatin, but it is the same behaviour, I tried copying the parameters from this link with the same result:
https://supportforums.cisco.com/discussion/12030911/acs-54-nexus-7k-user-roles-not-correct
I tried to use ' instead of " and it does not even add the attribute to the list. Any other idea?
01-15-2016 04:54 AM
Hi Ivan
I used the following to fix my issue. Hope it helps
cisco-av-pair=shell:roles*”network-admin,vdc-admin”
01-15-2016 05:00 AM
Hi Tuyen,
Which is your ACS version (5.4.X.Y.Z)?
When I try to submit the attribute with double quote character, I get logged out.
01-15-2016 06:01 AM
We previously had 5-4-0-46-8 when we encountered issue.
01-15-2016 05:12 AM
Hi Jatin,
I copy the end of the GET string that the explorer is sending to ACS:
&contextData.inputMethod=EDIT&commonTaskAttrList=Assigned+Privilege+Level%09Mandatory%091&commonTaskAttrList=Max+Privilege+Level%09Mandatory%0915&customAttrListType=Static&customAttrList=cisco-av-pair%09Mandatory%09shell%3Aroles%3D%22network-admin%22
%22 is the correct encoding for double quote, so the problem must be in the ACS server, maybe it is filtering too much the input of GET parameters...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide