Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
2
Helpful
4
Replies

Configuring ACS 5.4 to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 via TACACS+

jenny conlan
Level 1
Level 1

‎01-21-2014 11:30 AM - edited ‎03-10-2019 09:18 PM

There is a great document on the site for configuring ACS 5.X to authenticate voa TACACS+ but with 5.4 - there is possibly an extra step required.

https://supportforums.cisco.com/docs/DOC-14273

In 5.4 where you map the Shell Profile to the Authorization Policy – you are now required to specify a Command Set undert eh Shell Profile, whihch 5.2 didnt have. Trying to accomplish using the default san-admin role in NX-OS.

ACS_Shell Profile.png

Labels:
0 Helpful
4 Replies 4

Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-21-2014 09:20 PM

I think the command set does not matter.

Because the Nexus takes only the role and does not use per-command authorization (AFAIK), then it will take the role from the shell profile but selecting the command set does not matter because it does not use per command authorization.

I used command sets with CRS-1 and they had no effect. Only the shell profile configuration matters.

What is the situation at your end? do things work fine with/without selecting the command set? or putting empty command set in place?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

jenny conlan
Level 1
Level 1

‎01-22-2014 07:53 AM

Amjad - thank you for post.

The first thing I found was the Command Set feature is customizeable - it can be removed by:

“On Access Policies>Authorization> Click customize, and remove the command set from the selected side, as you do not wish to use commands sets.”

The second thing is when both the Shell Profile and the Command Set are used together - the most restrictive takes precedence. I applied a PermitAll command set but was still limited tothe premsisions set forth inthesan-admin NX-OS role,


0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to jenny conlan

‎01-22-2014 09:14 PM

Jenny - Thanks for the info.

So, if you are mentioning taht the most restrictive takes place, does that mean if you choose DenyAll then you will not be able to issue any command regardless of your role?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

jenny conlan
Level 1
Level 1
In response to Amjad Abdullah

‎01-23-2014 12:40 PM

In this instance with the Nexus 5K - if I chose DenyAll as the CommandSet - I get denied right away.

SWITCH2# conf t

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

SWITCH# sh run

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

0 Helpful
Customers Also Viewed These Support Documents