Solved: Re: ISE inegration with Nexus 9000

robad · ‎10-13-2018

Hi Guys,

We are using ISE for authentication for all of our network devices, and it's working just fine.

We have some issue with N9K integration.

When trying to login to our N9K, the login is successful, but when trying to run some commands as "show run", we are getting this error message :

% Permission denied for the role

It's very strange, because we have also N5K, and it's working fine with it.

also, on the N9K, I can enter to "configure terminal" mode, but have only 4 options there.

What can cause it, and how can I get it fully working ?

Thanks in advance

hslai · ‎10-25-2018

I do not have a Nexus 9K but my understanding is that NX-OS has built-in roles and allows us to define additional roles and r/w access of commands for each role. For example, use NX-OS CLI command "show cli syntax roles network-admin" to see the full command list available for network-admin.

Also, quite a few in the community and on the net might help. For example,

View solution in original post

howon · ‎10-15-2018

Can you provide more details on the setup? Protocol, policy, configuration, NOS/ISE version, etc.

hslai · ‎10-25-2018

I do not have a Nexus 9K but my understanding is that NX-OS has built-in roles and allows us to define additional roles and r/w access of commands for each role. For example, use NX-OS CLI command "show cli syntax roles network-admin" to see the full command list available for network-admin.

Also, quite a few in the community and on the net might help. For example,

joe19366 · ‎11-23-2019

Problem: Authenticated users to the nexus default to only "vdc-operator" role and lack permissions. The problem occurs because the default ISE tacacs profile for tacacs logins lacks the nexus role(s) attribute.

1) If you are having this issue you have likely used Workcenters > Policy Elements > Results > TACACS Profiles "Default Shell Profile"

Resolution Steps:

2) Do no use "Default Shell Profile" create a new shell profile to be used for all devices that has pushes the Nexus Policy Roles if you login to nexus (will be used for all nexus and ios devices later).

"Add > "NexusShellProfile" go to "common task type" > Nexus

Set attributes as "mandatory" Network Role "Administrator (Read Write)" and VDC Role "Administrator (Read Write)"

(shell step config done for nexus) SAVE at Bottom in Nexus Common task type.

this attribute will appear at bottom when done

MANDATORY shell:roles "network-admin vdc-admin

now go back to go to "common task type" > shell Default Privilege > set to 15 now SAVE shell profile. (Now you have a shell profile which works with both Nexus and other IOS Devices which do not use roles.)

3) Now apply "NexusShellProfile" to your Device Admin Policy Sets

Workcenter > Device Admin Policy Sets > Default (or if you have given some custom name set here)

Hit Right Arrow on right of policy set to edit go to Authorization Policy (NOT Authorization Policy Local Exceptions or Authorization Policy Global Exceptions) !!!

for Your Rule allow access change Shell Policy to "NexusShellProfile" You created in step 2. Save. Login to Nexus. Problem Solved!

puneiccnetwork · ‎06-03-2020

This is exactly what I am looking for. If fixed my problem.

Getting the same issue for Citrix ADC which I am looking for.

Thanks