Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
5
Helpful
2
Replies

ACS 4.2 TACACS+ with IOS boxen works fine, but won't allow Nexus to AAA to same server(s)??

rmarosko
Level 1
Level 1

‎03-07-2013 08:37 AM - edited ‎03-10-2019 08:10 PM

Howdy CSC,

So I am being presented with my second customer in less than 90 days that are running an existing ACS 4.2 AAA system doing AD username/password lookup, and are doing full TACACS+ AAA with IOS boxen, both routers and switches. Everything works fine, everyone is happy.

Now both customers want to add multiple Nexus platforms to the mix... N7Ks, N5Ks, etc.  

Dealing with custom attribute values is not something I normally play with (hey, I'm route/switch, not security!), so of course I come over here to figure out how to make all this stuff work, RTFM, etc.

Everything I see points to adding the custom attribute value "shell:roles=network-admin" to the TACACS+ settings under the user group, which I do. And now the users are able to log into the Nexus equipment and receive the proper user role, that works great.

And now all AAA to IOS boxen are broken. Username/password are sent and verified, then we get kicked out of that IOS box with the error "authorization failed".

I remove the custom attribute from the group, and access to the IOS boxen works again. And of course breaks the Nexus devices.

Just discussing this with some of our security engineers, the general consensus is to do one of the following:

1) Upgrade to ACS 5.x

2) Stand up new ACS 4.2 servers exclusively for the Nexus devices

3) Create/manage separate local usernames/usergroup in the existing ACS 4.2 servers to be used exclusively for the Nexus devices.

Customers are already budget-constrained, so option 1 isn't feasible, same issue for option 2. Option 3 seems most practical at this point, but the customer is not going to like having to remember multiple network management usernames/passwords.

Anyone have any suggestions or alternatives?

Labels:
0 Helpful
2 Replies 2

dherrald
Level 1
Level 1

‎03-08-2013 01:11 PM

Ron,

Did you see the post linked below?  Implies you may need to replace the equal sign("=") with an asterisk("*") to achieve desired result.  Might be worth a try.

https://supportforums.cisco.com/thread/2013536

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to dherrald

‎03-09-2013 01:26 AM

David:

Good answer. +5.

I think that is going to fix the issue.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents