NEXUS 9396PX authentication through ACS 5.4 issue

douglas.mckee · ‎08-08-2016

Hello,

We just purchased three Nexus-9396PX switches and can currently authenticate through our ACS 5.4 server. The issue is it drops straight into the enable mode without prompting for the "enable" password. Also, when you try to save a config change it states you're in the wrong context. The settings in our ACS 5.4 server is the same for all our IOS devices but didn't see any "login authentication" command for the vty lines on our Nexus switches. Is there another equivalent command or something else we need to change to prompt for the "enable" password when logging in?

***We can save config changes when logged in directly through the console port***

Thank You,

Doug

nspasov · ‎08-23-2016

Hi Doug, the AAA process on NX-OS is a bit different than IOS. Can you provide me with:

1. The attributes that you are returning with the authorization profile

2. The AAA related commands that you have configured on the switch

Thank you for rating helpful posts!

douglas.mckee · ‎08-24-2016

Neno,

Here are the AAA commands we're using. The attributes we are returning are TACACS+ and the secret key. It looks if I enable the "feature privilege" command from global config this might prompt me for the enable login? Also, you notice that my privilege level is currently -1 when logged in.

aaa group server tacacs+ #######
server ##.#.#.###
source-interface Vlan###
aaa authentication login default group ######
aaa authentication login console local
aaa authorization commands default group #######
aaa accounting default group ######
aaa authentication login error-enable
tacacs-server directed-request

------------------------------------------------

tacacs-server key 7 "#########"
ip tacacs source-interface Vlan##
tacacs-server timeout 3
tacacs-server host ##.#.#.### key 7 "#########"
aaa group server tacacs+ groupname
server ##.#.#.###
source-interface Vlan##

# show privilege
User name: ###########
Current privilege level: -1
Feature privilege: Disabled

--------------------------------------------
# show tacacs-server
Global TACACS+ shared secret:########
timeout value:3
deadtime value:0
source interface:Vlan##
total number of servers:1

following TACACS+ servers are configured:
        ##########:
                available on port:49
                TACACS+ shared secret:#######

nspasov · ‎08-26-2016

Thank you for providing the info! My comments below:

- NX-OS does not have/use the concept of "enable password/secret" This is a function of IOS. Thus, NX-OS only offers two different shell levels while IOS offers three. Instead, NX-OS controls privileges through "roles" that you must return in your Authorization Profiles. Her is a good link describing this in more detail:

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/guide_c07-665160.html

- If you use TACACS+ you can still create command based Authorization and restrict command usage via command-set profiles

- For instance, if you are not using VDCs and you want to have a full admin and a read-only account you would return the following attributes:

Admin:

shell:roles="network-admin"

Read-Only:

shell:roles="network-operator"

- Now let's say do use VDCs and want to have a full admin and read-only account for the admin VDC. Then you would return the following attributes:

Admin:

shell:roles="vdc-admin"

Read-Only:

shell:roles="vdc-operator"

I hope this helps!

Thank you for rating helpful posts!

douglas.mckee · ‎08-29-2016

Good Morning Neno,

Thanks for the info! The path listed below I found 2 "rules". The 2nd rule pertains to Nexus and when I move it to the top position I have "admin" access to the Nexus devices but lose login capability to the rest of our network. There's an exception policy link listed above in our TACACS+ server but not sure if this would remedy this situation.

Path:

ACCESS Policies>>Access Services>>Authorization

"Device Administration Authorization Policy"

Manual:

TACACS+ and RADIUS Attributes for Various Cisco and Non-Cisco Devices Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html#cex

nspasov · ‎08-31-2016

Hi Doug-

What you need to do is create two different rules and make them unique enough so they don't overlap. For instance, I have always used "Device Type" in my authorization policies to distinguish between: IOS, ASA, WLCs, NX-OS, etc. So for your example, you can have:

Authorization Rule #1: NDG:Device Type = Nexus >> Then NX-OS_Authorization_Profile

Authorization Rule #2: NDG:Device Type = IOS >> Then IOS_Authorization_Profile

I hope this helps!

Thank you for rating helpful posts!

douglas.mckee · ‎09-02-2016

Good Morning Neno,

We currently have unique authorization policies such as IOS, ASA, WLCs, NX-OS.

Under "Device Administration>>Shell Profiles I added the attributes listed below but still no luck. Should I try changing the Authorization rule to TACACS+ for the "Dictionary"?

Changed First:

Nexus attributes Attribute:cisco-av-pair

Value:shell:roles*"network-admin vdc-admin"

Changed 2nd: Device Administration>>Shell Profiles>>"Common Tasks"

Default Privilege 1

Maximum Privilege 15

Current privilege level when logged in:

Current privilege level: -1

Feature privilege: Disabled

Thank You,

Doug

douglas.mckee · ‎09-02-2016

Neno,

When I do the show user-account on our Nexus switch I get the below output.

user:
roles:network-admin vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible

***My current privilege level is still -1***

The enable command according to documentation I've been reading only shows up if you have the "Feature Privilege" command enabled. Do you think I need to enable this command to elevate my privileges?

Thank you,

Doug