Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3010
Views
10
Helpful
11
Replies

Providing Limited Access via custom RBAC using TACACS+ (ACS 5.4) - NX-OS

Go to solution
jenny conlan
Level 1
Level 1

‎05-30-2013 08:15 AM - edited ‎03-10-2019 08:29 PM

Hello,

I have created the follwoing custom RBAC on NX-OS.

Role: Limited_Admin

  11      deny    command                         config t ; interface mgmt 0

10      permit  command                         read            

  9       permit  command                         config t ; interface * ; *

  8       permit  command                         copy running-config startup-config

  7       permit  command                         ping *                

  6       permit  command                         traceroute *           

I have created a Shell Profile with the following attributes that will place the user in the Limited_Admin role and mapped this to the Authorization Policy rule.

Attribute cicso-av-pair

Requirement Mandatory

Vlaue shell:roles="Limited_Admin"

When I log in with Test Account - i get mapped to the custom role as seen below however i have priv 15.

user:testrbac

        roles:Limited_Admin

account created through REMOTE authentication

Credentials such as ssh server key will be cached temporarily only for this user account

Local login not possible

Any assistance greatly appreciated. I had this working perfectly on 4.2. but unable to get the rules to work on 5.4.

AAA Config from Nexus:

tacacs-server key *****

ip tacacs source-interface mgmt0

tacacs-server host x.x.x.x

aaa group server tacacs+ ACS-SERVERS

    server x.x.x.x

    use-vrf management

aaa group server tacacs+ ACS-SERVERS

aaa authentication login default group ACS-SERVERS

aaa authentication login console local

aaa accounting default group ACS-SERVERS

aaa authentication login error-enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-05-2013 02:53 PM

I saw that and that is what I wanted to see and use as a format/syntax on nx under role

ike this
Role: Limited_Admin
  11      deny    command                         configure terminal ; interface mgmt0

however I think you tried and confirmed that it didn't' work so I started thinking that it could be a Os bug. Glad it's working for you.

Jatin
*Do rate help posts*

Sent from Cisco Technical Support Android App

~Jatin

View solution in original post

11 Replies 11

Go to solution
jenny conlan
Level 1
Level 1

‎06-04-2013 11:58 AM

This does work as expected however, I was testing success/fail by attempting to configure int mgmt 0 - which should be denied but it is not.

To confirm I logged in as test and went into configuiration mode and did a ?


#config t

(config)# ?

I only see the following options -

  interface  Configure interfaces

  end        Go to exec mode

  exit       Exit from command interpreter

Just need to know why my deny for int mgmt 0 is not being denied?

0 Helpful

Go to solution
minkumar
Level 1
Level 1
In response to jenny conlan

‎06-04-2013 12:21 PM

Hi Jenny,

  I have created the article on this : Kindly check and verify if all the settings are correct:

https://supportforums.cisco.com/docs/DOC-33073

Regards

Minakshi (Do rate the helpful posts)

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-04-2013 01:05 PM

I checked your configuration and it seems VSA format is correct on the ACS. I didn check the ID of the commands you have added under the role because the RBAC parser accesses a rule from highest to lowest rule number and that is correct too. I'd like to see debugs from Nexus to get to the bottom of this.

Could you please run

debug tacacs

debug aaa authen

debug aaa author

Please provide the output at per your convenience.

Regards,

Jatin

*Do rate helpful posts*

~Jatin
0 Helpful

Go to solution
jenny conlan
Level 1
Level 1
In response to Jatin Katyal

‎06-04-2013 01:49 PM

I appreciate the help.

debug tacacs+

debug aaa all (couldnt set to authen and auth)

15361548-Debug.zip
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jenny conlan

‎06-04-2013 02:21 PM

2013 Jun  4 15:44:03.182300 aaa: aaa_create_local_acct_req: user=testrbac, session_id=@pts/14, log=configure terminal ; interface mgmt0 (SUCCESS)

2013 Jun  4 15:44:03.182320 aaa: aaa_req_process for accounting. session no 0

2013 Jun  4 15:44:03.182328 aaa: MTS request reference is NULL. LOCAL request

2013 Jun  4 15:44:03.182335 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED

2013 Jun  4 15:44:03.182344 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default

2013 Jun  4 15:44:03.182353 aaa: try_next_aaa_method

2013 Jun  4 15:44:03.182365 aaa: aaa_method_config: GET request for accounting default default

2013 Jun  4 15:44:03.182384 aaa: aaa_method_config: GET methods group ACS-SERVERS 

2013 Jun  4 15:44:03.182393 aaa: got back the return value of aaa method configuration operation:success

2013 Jun  4 15:44:03.182402 aaa: total methods configured is 1, current index to be tried is 0

2013 Jun  4 15:44:03.182411 aaa: handle_req_using_method

2013 Jun  4 15:44:03.182418 aaa: AAA_METHOD_SERVER_GROUP

2013 Jun  4 15:44:03.182427 aaa: do parallel local accounting

2013 Jun  4 15:44:03.182435 aaa: aaa_local_accounting_msg

2013 Jun  4 15:44:03.182444 aaa: update:@pts/14:testrbac:configure terminal ; interface mgmt0 (SUCCESS)

2013 Jun  4 15:44:03.182452 aaa: av list is null. No vsan id

not much difference I see in the debugs and the way you have defined. However still try to push it as it is and see how it goes.

like this

Role: Limited_Admin

  11      deny    command                         configure terminal ; interface mgmt0

I'll check in the backround if something else need to be tweaked.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
jenny conlan
Level 1
Level 1
In response to Jatin Katyal

‎06-05-2013 09:46 AM

I tried using the full command but its a no-go : (

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jenny conlan

‎06-05-2013 09:56 AM

please share the NX-OS code.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
jenny conlan
Level 1
Level 1
In response to jenny conlan

‎06-05-2013 10:07 AM

NX-OS - 5.0(3)N1(1c)

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.0a

I also tested NX-OS 5.1(3)N2(1) - same result.


0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jenny conlan

‎06-05-2013 10:25 AM

have you tried assiging a role to the local user itself. Just wanted to rule out NX-OS issue.

If you can map the role with local created user and test the interface mgmt0 command.

Let me kno.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
jenny conlan
Level 1
Level 1
In response to Jatin Katyal

‎06-05-2013 02:01 PM

Success!

Changed the rule to deny command config t ; interface mgmt0

The interface name is mgmt0, not mgmt –space- 0

Although it will accept int mgmt -space- 0  the deny command woudl not work unless it was entered without the space!

This worked on the both verisons:

5.0(3)N1(1c)

5.2(1)N1(2a)

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-05-2013 02:53 PM

I saw that and that is what I wanted to see and use as a format/syntax on nx under role

ike this
Role: Limited_Admin
  11      deny    command                         configure terminal ; interface mgmt0

however I think you tried and confirmed that it didn't' work so I started thinking that it could be a Os bug. Glad it's working for you.

Jatin
*Do rate help posts*

Sent from Cisco Technical Support Android App

~Jatin
Customers Also Viewed These Support Documents