I seem to have it working yet it is not exactly what I call intuitive. In ACS I had to configure the Custom Attributes as Attribute: cisco-av-pair*shell:roles Value: network-admin Any insights would be appreciative. Looks like this is not a bug.
... View more
I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code. I seem to have ACS setup correctly based on documentation I received through here. The problem is that the NX/OS doesnt seem to be operating as expected. I performed a debug on the Nexus and received the following output: 2011 Feb 8 07:04:23.227576 tacacs: tplus_decode_author_response: Attributes count 3 2011 Feb 8 07:04:23.227585 tacacs: tplus_decode_author_response: attribute 0 idletime=15 2011 Feb 8 07:04:23.227596 tacacs: tplus_decode_author_response: attribute 1 priv-lvl=15 2011 Feb 8 07:04:23.227606 tacacs: tplus_decode_author_response: attribute 2 roles=Network-Admin 2011 Feb 8 07:04:23.227931 tacacs: tplus_getroles(1937)Feature privilege: Disabled 2011 Feb 8 07:04:23.227959 tacacs: tplus_getroles(1957): privilege level 15, corresponding role is: network-admin 2011 Feb 8 07:04:23.227971 tacacs: tplus_decode_author_response: privilege level 15 is specified and corresponding role is network-admin 2011 Feb 8 07:04:23.228007 tacacs: AAA_RESP: status=2, av_count=2, ctx_len=294, server_msg_len=0, server_data_len=0 2011 Feb 8 07:04:23.228020 tacacs: AAA_RESP: 0 th attribute network-admin 2011 Feb 8 07:04:23.228029 tacacs: AAA_RESP: 1 th attribute XX.XXX.XX.XX 2011 Feb 8 07:04:23.228039 tacacs: tplus_decode_author_response: exiting for aaa session: 0 Yes - in this scenario I do get put into Network-Admin role but that is based on priv and not the roles AV setting. This is important because I have other roles that need assigning (ie VDC-Admin and "READ_CONFIG" which is adding through the CLI) So I figured that setting the Privilege level was causing my problem and reran the same test: 2011 Feb 8 07:10:24.052767 tacacs: tplus_decode_author_response: entering for aaa session: 0 2011 Feb 8 07:10:24.052788 tacacs: tplus_decode_author_response: Attributes count 2 2011 Feb 8 07:10:24.052797 tacacs: tplus_decode_author_response: attribute 0 idletime=15 2011 Feb 8 07:10:24.052808 tacacs: tplus_decode_author_response: attribute 1 roles=Network-Admin 2011 Feb 8 07:10:24.052825 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority 2011 Feb 8 07:10:24.052855 tacacs: AAA_RESP: status=2, av_count=1, ctx_len=294, server_msg_len=0, server_data_len=0 2011 Feb 8 07:10:24.052867 tacacs: AAA_RESP: 0 th attribute XX.XXX.XX.XX 2011 Feb 8 07:10:24.052876 tacacs: tplus_decode_author_response: exiting for aaa session: 0 But as you can see in the debugs neither works as expected. I am trying to determine if this is a simple config that I am missing or do I need to open a TAC case to be looked at as a bug? AAA/TACACS config: aaa authentication login default group TACACS-Servers aaa accounting default group TACACS-Servers aaa authentication login error-enable feature tacacs+ tacacs-server host XX.XXX.XX.XX key REMOVED aaa group server tacacs+ tacacs aaa group server tacacs+ TACACS-Servers server XX.XXX.XX.XX use-vrf management Any help would be appreciated.
... View more