Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
8461
Views
0
Helpful
7
Replies

Permission denied for the role - user from tacacs - NX5K

Erico Verissimo
Level 1
Level 1

‎05-02-2018 08:49 AM - edited ‎03-08-2019 02:52 PM

Hello guys,

 

I am changing the tacacs server but when i have tried to modify (server-tacacs key) i received the message - % Permission denied for the role. Have someone seen this already?

 

Thanks!

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎05-02-2018 08:46 PM

Hi

Just based on your post, i would say probably your new tacacs server authenticated you but pushed a role not existing on the Nexus or didn't pushed any role.
Can you give more details for your session please? Have you been authenticated against new tacacs? Which role did you received?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Erico Verissimo
Level 1
Level 1
In response to Francesco Molino

‎05-04-2018 05:16 AM

Hi,

 

I will take the information about roles. I do not understand very well the roles config I am newbie in that. 

 

Thanks for your support.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Erico Verissimo

‎05-05-2018 04:41 PM

Roles in Nexus are like privilege in IOS.
You have to push a role to a user to say what rights he has, this means is he able to only view some configs and/or outputs OR is he able to modify the config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Erico Verissimo
Level 1
Level 1
In response to Francesco Molino

‎05-18-2018 07:21 AM

Francesco,

 

We are not connected to the tacacs and nobody here has the admin password, and than I will recover the admin access. I've never done this before and I will use this procedure:

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/password_recovery/b_nx_os_pwr/nx_os_pw.html#wp43327

 

I have one doubt.. of course I dont want to lose the config on startup.. Would you have some tips for that?

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Erico Verissimo

‎05-18-2018 06:21 PM

I've not done it lot of times but i recall the config was still there.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

jlma81
Level 1
Level 1
In response to Francesco Molino

‎11-08-2018 11:48 AM

Hi

I am facing a similar issue, when I do a "show user-account" I can see my role as "network-operator",  I am using TACACS and ISE, I checked under User Identiy Groups and I am part of Network Admin but can't find whether it has the permission of network-admin  , can anyone guide me to know where I can change or check this value on ISE?

user:username
roles:network-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible

Will appreciate your help.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to jlma81

‎11-10-2018 08:43 AM

Hi
If you have ISE, do you ensure that you're pushing the role network-admin? If so, what the result in ISE logs, do you see it has been applied correctly?
Here a doc that may help with ISE and NX-OS:
https://community.cisco.com/t5/security-documents/how-to-ise-tacacs-configuration-for-cisco-nx-os-network-devices/ta-p/3631609?attachment-id=149531

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Top