Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

The following guide shows how to return a TACACS attribute in ACS 5 defining the role a user should be placed into on Nexus 5K switches that use Role Based Access Control (RBAC).

This guide makes the following assumptions:

  • You are using the TACACS protocol to authenticate RBAC users on a Nexus 5000 switch.
  • Your ACS service selection rules direct all TACACS requests to the "Default Device Admin" access service.
  • The switch is aleady added as a network device in a network device group specifically for Nexus switches.
  • Users are already mapped to an Identity Group on ACS that will then map to their role on Nexus.

Step 1:

Create an Authorization Policy rule to match the user and device criteria as shown below:

Screen shot 2010-12-08 at 5.57.52 PM.png

Step 2:

Create a Shell Profile to return the required attributes. In the following example the user will be placed into the "Network-Admin" role:

Screen shot 2010-12-08 at 6.08.53 PM.png

Step 3:

Map the Shell Profile to the Authorization Policy rule:

Screen shot 2010-12-08 at 6.10.51 PM.png

Step 4:

Log into the Nexus switch. To confirm that the rule has been successfully matched, check the hit count next to the rule. Note you may need to refresh the hit count status by clicking on the hit count button on the bottom right hand corner, and then refresh.

  Screen shot 2010-12-08 at 6.19.02 PM.png

Community Member

FYI - While using ACS 5.3, the attributes needed to be entered as:

Attribute: cisco-av-pair

Requirement: Optional

Value: shell:roles*"network-operator"

Note, you can assign multiple roles by adding a space between role names (i.e. shell:roles*"network-operator vdc-operator")


Thanks for your reply.

aaa authentication login default group ACS

 But the above command is not type local (key word).How to authenticate with (Local Switch Database and ACS ) at a time. 

Hello bzeitner,

In the event that you have multiple roles in the shell profile as you have done, how can we determine which user has access to Network admin and which user uses Network operator.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links