cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10243
Views
11
Helpful
4
Replies

ISE inegration with Nexus 9000

robad
Level 1
Level 1

Hi Guys,

We are using ISE for authentication for all of our network devices, and it's working just fine.

We have some issue with N9K integration.

 

When trying to login to our N9K, the login is successful, but when trying to run some commands as "show run", we are getting this error message :

% Permission denied for the role

 

 

It's very strange, because we have also N5K, and it's working fine with it.

also, on the N9K, I can enter to "configure terminal" mode, but have only 4 options there.

 

What can cause it, and how can I get it fully working ?

 

Thanks in advance

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

I do not have a Nexus 9K but my understanding is that NX-OS has built-in roles and allows us to define additional roles and r/w access of commands for each role. For example, use NX-OS CLI command "show cli syntax roles network-admin" to see the full command list available for network-admin.

Also, quite a few in the community and on the net might help. For example,

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

Can you provide more details on the setup? Protocol, policy, configuration, NOS/ISE version, etc.

hslai
Cisco Employee
Cisco Employee

I do not have a Nexus 9K but my understanding is that NX-OS has built-in roles and allows us to define additional roles and r/w access of commands for each role. For example, use NX-OS CLI command "show cli syntax roles network-admin" to see the full command list available for network-admin.

Also, quite a few in the community and on the net might help. For example,

Problem: Authenticated users to the nexus default to only "vdc-operator" role and lack permissions. The problem occurs because the default ISE tacacs profile for tacacs logins lacks the nexus role(s) attribute.

 

1) If you are having this issue you have likely used Workcenters > Policy Elements > Results > TACACS Profiles "Default Shell Profile"

 

Resolution Steps:

 

2) Do no use "Default Shell Profile" create a new shell profile to be used for all devices that has pushes the Nexus Policy Roles if you login to nexus (will be used for all nexus and ios devices later).

 

nexus1.jpg

 

"Add > "NexusShellProfile" go to "common task type" > Nexus

 

nexus2.jpg

 

Set attributes as "mandatory" Network Role "Administrator (Read Write)" and VDC Role "Administrator (Read Write)"

 

(shell step config done for nexus) SAVE at Bottom in Nexus Common task type.

nexus2a.jpg

 

this attribute will appear at bottom when done

 

MANDATORY shell:roles "network-admin vdc-admin

 

now go back to go to "common task type" > shell Default Privilege > set to 15 now SAVE shell profile. (Now you have a shell profile which works with both Nexus and other IOS Devices which do not use roles.)

 

3) Now apply "NexusShellProfile" to your Device Admin Policy Sets

 

Workcenter > Device Admin Policy Sets > Default (or if you have given some custom name set here)

 

Hit Right Arrow on right of policy set to edit go to Authorization Policy (NOT Authorization Policy Local Exceptions or Authorization Policy Global Exceptions) !!!

 

for Your Rule allow access change Shell Policy to "NexusShellProfile" You created in step 2. Save. Login to Nexus. Problem Solved!

 

nexus3.jpg

This is exactly what I am looking for. If fixed my problem.

Getting the same issue for Citrix ADC which I am looking for.

 

Thanks