cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2245
Views
10
Helpful
11
Replies

Providing Limited Access via custom RBAC using TACACS+ (ACS 5.4) - NX-OS

jenny conlan
Beginner
Beginner

Hello,

I have created the follwoing custom RBAC on NX-OS.

Role: Limited_Admin

  11      deny    command                         config t ; interface mgmt 0

10      permit  command                         read            

  9       permit  command                         config t ; interface * ; *

  8       permit  command                         copy running-config startup-config

  7       permit  command                         ping *                

  6       permit  command                         traceroute *           

I have created a Shell Profile with the following attributes that will place the user in the Limited_Admin role and mapped this to the Authorization Policy rule.

Attribute cicso-av-pair

Requirement Mandatory

Vlaue shell:roles="Limited_Admin"

When I log in with Test Account - i get mapped to the custom role as seen below however i have priv 15.

user:testrbac

        roles:Limited_Admin

account created through REMOTE authentication

Credentials such as ssh server key will be cached temporarily only for this user account

Local login not possible

Any assistance greatly appreciated. I had this working perfectly on 4.2. but unable to get the rules to work on 5.4.

AAA Config from Nexus:

tacacs-server key *****

ip tacacs source-interface mgmt0

tacacs-server host x.x.x.x

aaa group server tacacs+ ACS-SERVERS

    server x.x.x.x

    use-vrf management

aaa group server tacacs+ ACS-SERVERS

aaa authentication login default group ACS-SERVERS

aaa authentication login console local

aaa accounting default group ACS-SERVERS

aaa authentication login error-enable

1 ACCEPTED SOLUTION

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

I saw that and that is what I wanted to see and use as a format/syntax on nx under role

ike this

Role: Limited_Admin

  11      deny    command                         configure terminal ; interface mgmt0

however I think you tried and confirmed that it didn't' work so I started thinking that it could be a Os bug. Glad it's working for you.

Jatin
*Do rate help posts*

Sent from Cisco Technical Support Android App

~Jatin

View solution in original post

11 REPLIES 11

jenny conlan
Beginner
Beginner

This does work as expected however, I was testing success/fail by attempting to configure int mgmt 0 - which should be denied but it is not.

To confirm I logged in as test and went into configuiration mode and did a ?


#config t

(config)# ?

I only see the following options -

  interface  Configure interfaces

  end        Go to exec mode

  exit       Exit from command interpreter

Just need to know why my deny for int mgmt 0 is not being denied?

Hi Jenny,

  I have created the article on this : Kindly check and verify if all the settings are correct:

https://supportforums.cisco.com/docs/DOC-33073

Regards

Minakshi (Do rate the helpful posts)

Jatin Katyal
Cisco Employee
Cisco Employee

I checked your configuration and it seems VSA format is correct on the ACS. I didn check the ID of the commands you have added under the role because the RBAC parser accesses a rule from highest to lowest rule number and that is correct too. I'd like to see debugs from Nexus to get to the bottom of this.

Could you please run

debug tacacs

debug aaa authen

debug aaa author

Please provide the output at per your convenience.

Regards,

Jatin

*Do rate helpful posts*

~Jatin

I appreciate the help.

debug tacacs+

debug aaa all (couldnt set to authen and auth)

2013 Jun  4 15:44:03.182300 aaa: aaa_create_local_acct_req: user=testrbac, session_id=@pts/14, log=configure terminal ; interface mgmt0 (SUCCESS)

2013 Jun  4 15:44:03.182320 aaa: aaa_req_process for accounting. session no 0

2013 Jun  4 15:44:03.182328 aaa: MTS request reference is NULL. LOCAL request

2013 Jun  4 15:44:03.182335 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED

2013 Jun  4 15:44:03.182344 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default

2013 Jun  4 15:44:03.182353 aaa: try_next_aaa_method

2013 Jun  4 15:44:03.182365 aaa: aaa_method_config: GET request for accounting default default

2013 Jun  4 15:44:03.182384 aaa: aaa_method_config: GET methods group ACS-SERVERS 

2013 Jun  4 15:44:03.182393 aaa: got back the return value of aaa method configuration operation:success

2013 Jun  4 15:44:03.182402 aaa: total methods configured is 1, current index to be tried is 0

2013 Jun  4 15:44:03.182411 aaa: handle_req_using_method

2013 Jun  4 15:44:03.182418 aaa: AAA_METHOD_SERVER_GROUP

2013 Jun  4 15:44:03.182427 aaa: do parallel local accounting

2013 Jun  4 15:44:03.182435 aaa: aaa_local_accounting_msg

2013 Jun  4 15:44:03.182444 aaa: update:@pts/14:testrbac:configure terminal ; interface mgmt0 (SUCCESS)

2013 Jun  4 15:44:03.182452 aaa: av list is null. No vsan id

not much difference I see in the debugs and the way you have defined. However still try to push it as it is and see how it goes.

like this

Role: Limited_Admin

  11      deny    command                         configure terminal ; interface mgmt0

I'll check in the backround if something else need to be tweaked.

Jatin Katyal
- Do rate helpful posts -

~Jatin

I tried using the full command but its a no-go : (

please share the NX-OS code.

Jatin Katyal
- Do rate helpful posts -

~Jatin

NX-OS - 5.0(3)N1(1c)

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.0a

I also tested NX-OS 5.1(3)N2(1) - same result.


have you tried assiging a role to the local user itself. Just wanted to rule out NX-OS issue.

If you can map the role with local created user and test the interface mgmt0 command.

Let me kno.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Success!

Changed the rule to deny command config t ; interface mgmt0

The interface name is mgmt0, not mgmt –space- 0

Although it will accept int mgmt -space- 0  the deny command woudl not work unless it was entered without the space!

This worked on the both verisons:

5.0(3)N1(1c)

5.2(1)N1(2a)

Jatin Katyal
Cisco Employee
Cisco Employee

I saw that and that is what I wanted to see and use as a format/syntax on nx under role

ike this

Role: Limited_Admin

  11      deny    command                         configure terminal ; interface mgmt0

however I think you tried and confirmed that it didn't' work so I started thinking that it could be a Os bug. Glad it's working for you.

Jatin
*Do rate help posts*

Sent from Cisco Technical Support Android App

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: