03-03-2022 08:01 AM - edited 03-03-2022 08:07 AM
Hi,
I authenticate with the switch with ACS.
Authentication is successful but I am unable to run show run or make change in configure terminal.
sh privilege
User name: testacc
Current privilege level: -1
Feature privilege: Disabled
sh run
% Permission denied for the role
Hardware
cisco Nexus5548 Chassis
Reason: Reset Requested by CLI command reload
System version: 7.3(7)N1(1b)
Please advise how can I resolve it. Thank you.
Regards,
Daniel
Solved! Go to Solution.
03-03-2022 09:34 AM - edited 03-03-2022 09:35 AM
IOS works, nexus have network-admin role
check the below config guide and add necessary action :
03-04-2022 05:28 AM
I managed to add the new rule. I had to switch to the internet explorer as it did not like chrome for some reason. Thank you for all information provided.
03-03-2022 08:08 AM
Current privilege level: -1
change level to 15
03-03-2022 08:12 AM
Exactly the same account has privilege 15 on different devices. Thank you.
show privilege
Current privilege level is 15
03-03-2022 09:16 AM
Then what prompt are you in nexus : (another device is nexus ? or IOS ?)
> or #
03-03-2022 09:23 AM
On nexus and ios I'm getting logged in directly to #.
Whereas for nexus I cannot execute sh run command.
Thank you
03-03-2022 09:34 AM - edited 03-03-2022 09:35 AM
IOS works, nexus have network-admin role
check the below config guide and add necessary action :
03-04-2022 04:46 AM
I've been following the guide but on the step 5 ACS I cannot create new authorization rule I have only Default rule available and cannot add new one. Create add below and above is blank. Please advise. Thank you
5. Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.
03-04-2022 05:28 AM
I managed to add the new rule. I had to switch to the internet explorer as it did not like chrome for some reason. Thank you for all information provided.
03-04-2022 06:19 AM
glad working all good, yes IE is good with ACS, some how cisco ACS not work with chrome as expected (forgot to mentioned)
03-08-2022 12:45 AM
I managed to view the running config after correct value to the shell profile (Value: shell:roles*"network-admin vdc-admin").
Unfortunately, I cannot make any configuration changes as getting the AAA authorisation error.
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)
Any advice how to resolve it? Thanks
03-08-2022 01:48 AM
how does your AAA config looks like in nexus add below command : ( Do not lockup yourself. make sure you have fall back to Locla account)
aaa authorization config-commands default group radius_servers (radisu_servers your group)
03-08-2022 01:52 AM
the current aaa config is as below
sh run aaa
!Command: show running-config aaa
version 7.3(7)N1(1b)
aaa authentication login default group ACS_Servers local
aaa authentication login console local
aaa authorization config-commands default group ACS_Servers
Thanks
03-08-2022 07:53 AM
Can you post ACS_Servers information
03-08-2022 07:56 AM
aaa group server tacacs+ ACS_Servers
server 10.94.1.28
server 10.94.2.30
thanks
03-08-2022 08:03 AM
We have also tried stopping ACS authentication and using local account (authentication was successful but could not make changes) but still could not make changes to the configuration.
The local account has role network-admin assigned to it.
Thanks,
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: