08-19-2011 01:14 PM - edited 03-10-2019 06:20 PM
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
Solved! Go to Solution.
10-05-2011 07:39 AM
In case anyone interested, I got it working. The trick is to match the attribute and value as below. And these seems to be same for all Nexus related products.
08-22-2011 02:40 AM
It's very product dependant. I know nothing about UCS but I know about ACS :-)
So the attribute you should return is configured as "role" for the attribute name and "admin" as the value.
This document is not about UCS but WCS uses the same av-pairs giving roles so you might get inspiration from that doc.
https://supportforums.cisco.com/docs/DOC-17909
Hope it helps :-)
08-22-2011 10:03 AM
while i appreciate the referral, i have tried every permutation of role, roles, Role, role0, role1, etc. with admin, Admin, aaa, etc. as the "mandatory attribute" ...but every time I authenticate via my tacacs login, I get read-only. If I login using a local account, i get whatever role I assigned myself in the UCS manager software.
I would post this question in the UCS forum, but as I mentioned in my original post, I have this exact problem with the WS-SVC-NAM2s I use authenticating against this ACS via tacacs. So I'm relatively certain it's an ACS configuration issue, and not a problem on the UCS side of the house.
10-04-2011 01:18 PM
Hi David,
I got the same issue with you, only got read-only access. Were you able to figure it out?
Thanks,
Tao
10-05-2011 07:39 AM
In case anyone interested, I got it working. The trick is to match the attribute and value as below. And these seems to be same for all Nexus related products.
12-01-2011 09:50 AM
The picture link for your solution is broken. What is the syntax? Thanks!
12-01-2011 10:25 AM
Attribute: shell:roles
Requirement: Mandatory
Value: admin
Hope this helps. FYI, as far as I can see, the screenshot is still there.
10-05-2011 08:01 AM
That is great! shell:roles worked for me as well. now hopefully a similar trick with work for the NAM..
thanks!
02-06-2012 06:47 AM
When I set this on my generic admin shell profile, it prevents me from defaulting to enable mode (priv 15) on my network devices. I can type "enable", enter my password when prompted, and enter enable mode, but I'd like this to happen automatically, as it did before I made this shell profile change.
Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide