cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
0
Helpful
1
Replies

Nexus and UCS TACACS+ authentication and RBAC problem

Mate Grbavac
Level 1
Level 1

Hi,

I have Nexus 5548 with 5.1(3)N2(1) NX-OS and UCS with 2.0(4b) UCSM. My problem is AAA through TACACS and RBAC.

I would like to login with single account to Nexus 5548 and UCS with full admin right ("network-admin" for Nexus and "admin" for UCS).

Problem is av-pair, if I set av-pair as cisco-av-pair=shell:roles*"admin" shell:roles="network-admin" than I get "admin" access to UCS, but "network-operator" to Nexus.

If av-pair is  cisco-av-pair=shell:roles*"network-admin" shell:roles="admin" than I get "network-admin" access for Nexus, but "read-only" for UCS.

I tried to create custom role on Nexus and UCS with same name, "custom-admin", but I can't set up full admin rights on Nexus, for example, I can't permit commands:

aaa            Configure aaa functions

boot           Configure boot variables

control-plane  Enter to control-plane sub-mode

install        Install a feature-set

license        Modify license features

ntp            NTP Configuration

port-channel   Configure port channel parameters

role           Configure roles

terminal       Configure terminal settings

vdc            Manage Virtual Device Context
aaa            Configure aaa functions
boot           Configure boot variables
control-plane  Enter to control-plane sub-mode
install        Install a feature-set
license        Modify license features
ntp            NTP Configuration
port-channel   Configure port channel parameters
role           Configure roles
terminal       Configure terminal settings
vdc            Manage Virtual Device Context

Solution with custom created role is very fine to me if I can get full admin access with all commands on Nexus and UCS.

Can someone, please, help me how to configure TACACS server to authorize single user to Nexus and UCS with full admin rights or how to create custom role with full admin rights, similar to "network-admin" role on Nexus?

1 Reply 1

Mate Grbavac
Level 1
Level 1

After a few tries we found solution.

Solution is customizing cisco av pair, it must looks like:

cisco-av-pair=shell:roles*"network-admin admin"