cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

888
Views
0
Helpful
4
Replies
Highlighted
Beginner

Nexus 7k and Cisco ACS 5.4 RBAC

Greetings

I am trying to provide limited access on Nexus 7k using ACS 5.4 via TACACS.  I used the following in my shell profile

 

ATTRIBUTE:  cisco-av-pair

REQUIREMENT:  mandatory (even tried optional)

VALUE:  shell:roles="network-operator"

 

Everything seems to work, but I cannot ping/traceroute and receive this error, from the Nexus 7k.

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

 

4 REPLIES 4
Highlighted
Participant

Hey,Could you share the AAA

Hey,

Could you share the AAA configuration on the Nexus?

 

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Highlighted
Beginner

Sureaaa authentication login

Sure

aaa authentication login default group CORP_ACS
aaa authentication login console local
aaa authorization commands default group CORP_ACS local
aaa accounting default group CORP_ACS
aaa authentication login error-enable

 

aaa group server tacacs+ CORP_ACS
    server x.x.x.x
    server x.x.x.x
    use-vrf management

Highlighted
Participant

Hi Tony,You should not have

Hi Tony,

You should not have command authorization when you use RBAC.

Kindly remove: aaa authorization commands default group CORP_ACS local

and check again.

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Highlighted
Enthusiast

ref:http://www.hellanetwork

ref:

http://www.hellanetwork.com/2013/06/nx-os-security.html