04-03-2014 06:57 AM - edited 03-10-2019 09:36 PM
Greetings
I am trying to provide limited access on Nexus 7k using ACS 5.4 via TACACS. I used the following in my shell profile
ATTRIBUTE: cisco-av-pair
REQUIREMENT: mandatory (even tried optional)
VALUE: shell:roles="network-operator"
Everything seems to work, but I cannot ping/traceroute and receive this error, from the Nexus 7k.
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
04-04-2014 12:46 PM
Hey,
Could you share the AAA configuration on the Nexus?
Regards
Ed
04-06-2014 06:10 PM
Sure
aaa authentication login default group CORP_ACS
aaa authentication login console local
aaa authorization commands default group CORP_ACS local
aaa accounting default group CORP_ACS
aaa authentication login error-enable
aaa group server tacacs+ CORP_ACS
server x.x.x.x
server x.x.x.x
use-vrf management
04-07-2014 07:40 AM
Hi Tony,
You should not have command authorization when you use RBAC.
Kindly remove: aaa authorization commands default group CORP_ACS local
and check again.
Regards
Ed
04-06-2014 11:17 PM
ref:
http://www.hellanetwork.com/2013/06/nx-os-security.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: