Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

jenny conlan

Configuring ACS 5.4 to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 via TACACS+

There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required.

In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS.

ACS_Shell Profile.png

Amjad Abdullah

I think the command set does not matter.

Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.

I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.

What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
jenny conlan

Amjad - thank you for post.

The first thing I found was the Command Set feature is customizeable - it can be removed by:

“On Access Policies>Authorization> Click customize, and remove the command set from the selected side, as you do not wish to use commands sets.”

The second thing is when both the Shell Profile and the Command Set are used together - the most restrictive takes precedence. I applied a PermitAll command set but was still limited tothe premsisions set forth inthesan-admin NX-OS role,

Jenny - Thanks for the info.

So, if you are mentioning taht the most restrictive takes place, does that mean if you choose DenyAll then you will not be able to issue any command regardless of your role?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

In this instance with the Nexus 5K - if I chose DenyAll as the CommandSet - I get denied right away.

SWITCH2# conf t

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

SWITCH# sh run

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube