Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9667
Views
24
Helpful
3
Comments

Configuring ACS 5.x to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 switch via TACACS

slawford
Cisco Employee
Cisco Employee

‎12-07-2010 10:51 PM - edited ‎02-21-2020 09:57 PM

The following guide shows how to return a TACACS attribute in ACS 5 defining the role a user should be placed into on Nexus 5K switches that use Role Based Access Control (RBAC).

This guide makes the following assumptions:

  • You are using the TACACS protocol to authenticate RBAC users on a Nexus 5000 switch.
  • Your ACS service selection rules direct all TACACS requests to the "Default Device Admin" access service.
  • The switch is aleady added as a network device in a network device group specifically for Nexus switches.
  • Users are already mapped to an Identity Group on ACS that will then map to their role on Nexus.

Step 1:

Create an Authorization Policy rule to match the user and device criteria as shown below:

Screen shot 2010-12-08 at 5.57.52 PM.png

Step 2:

Create a Shell Profile to return the required attributes. In the following example the user will be placed into the "Network-Admin" role:

Screen shot 2010-12-08 at 6.08.53 PM.png

Step 3:

Map the Shell Profile to the Authorization Policy rule:

Screen shot 2010-12-08 at 6.10.51 PM.png


Step 4:

Log into the Nexus switch. To confirm that the rule has been successfully matched, check the hit count next to the rule. Note you may need to refresh the hit count status by clicking on the hit count button on the bottom right hand corner, and then refresh.

  Screen shot 2010-12-08 at 6.19.02 PM.png

Labels:
Comments
bzeitner
Community Member
‎09-19-2012 02:35 PM

FYI - While using ACS 5.3, the attributes needed to be entered as:

Attribute: cisco-av-pair

Requirement: Optional

Value: shell:roles*"network-operator"

Note, you can assign multiple roles by adding a space between role names (i.e. shell:roles*"network-operator vdc-operator")

smhaider2010
Level 1
Level 1
‎03-04-2017 06:26 AM

Thanks for your reply.

aaa authentication login default group ACS

 But the above command is not type local (key word).How to authenticate with (Local Switch Database and ACS ) at a time. 

OBINNA EMESORONYE
Level 1
Level 1
‎05-04-2017 02:34 AM

Hello bzeitner,

In the event that you have multiple roles in the shell profile as you have done, how can we determine which user has access to Network admin and which user uses Network operator.

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents