Solved: Unable to do changes - Current privilege level: -1

ziqex · ‎03-03-2022

Hi,

I authenticate with the switch with ACS.

Authentication is successful but I am unable to run show run or make change in configure terminal.

sh privilege
User name: testacc
Current privilege level: -1
Feature privilege: Disabled

sh run
% Permission denied for the role

Hardware
cisco Nexus5548 Chassis

Reason: Reset Requested by CLI command reload
System version: 7.3(7)N1(1b)

Please advise how can I resolve it. Thank you.

Regards,

Daniel

balaji.bandi · ‎03-03-2022

IOS works, nexus have network-admin role

check the below config guide and add necessary action :

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

ziqex · ‎03-04-2022

I managed to add the new rule. I had to switch to the internet explorer as it did not like chrome for some reason. Thank you for all information provided.

View solution in original post

balaji.bandi · ‎03-03-2022

Current privilege level: -1

change level to 15

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/116236-configure-acs-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-03-2022

Exactly the same account has privilege 15 on different devices. Thank you.

show privilege
Current privilege level is 15

balaji.bandi · ‎03-03-2022

Then what prompt are you in nexus : (another device is nexus ? or IOS ?)

> or #

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-03-2022

On nexus and ios I'm getting logged in directly to #.

Whereas for nexus I cannot execute sh run command.

Thank you

balaji.bandi · ‎03-03-2022

IOS works, nexus have network-admin role

check the below config guide and add necessary action :

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-04-2022

I've been following the guide but on the step 5 ACS I cannot create new authorization rule I have only Default rule available and cannot add new one. Create add below and above is blank. Please advise. Thank you

5. Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.

ziqex · ‎03-04-2022

I managed to add the new rule. I had to switch to the internet explorer as it did not like chrome for some reason. Thank you for all information provided.

balaji.bandi · ‎03-04-2022

glad working all good, yes IE is good with ACS, some how cisco ACS not work with chrome as expected (forgot to mentioned)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-08-2022

I managed to view the running config after correct value to the shell profile (Value: shell:roles*"network-admin vdc-admin").

Unfortunately, I cannot make any configuration changes as getting the AAA authorisation error.

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

Any advice how to resolve it? Thanks

balaji.bandi · ‎03-08-2022

how does your AAA config looks like in nexus add below command : ( Do not lockup yourself. make sure you have fall back to Locla account)

aaa authorization config-commands default group radius_servers (radisu_servers your group)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-08-2022

the current aaa config is as below

sh run aaa

!Command: show running-config aaa

version 7.3(7)N1(1b)
aaa authentication login default group ACS_Servers local
aaa authentication login console local
aaa authorization config-commands default group ACS_Servers

Thanks

balaji.bandi · ‎03-08-2022

Can you post ACS_Servers information

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ziqex · ‎03-08-2022

aaa group server tacacs+ ACS_Servers
server 10.94.1.28
server 10.94.2.30

thanks

ziqex · ‎03-08-2022

We have also tried stopping ACS authentication and using local account (authentication was successful but could not make changes) but still could not make changes to the configuration.

The local account has role network-admin assigned to it.

Thanks,

Daniel