ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Nexus and ACE on the same TACACS+ ACS server

Thu Mar 01, 2012 9:27 am

I cant seem to figure out why this is preferring one of the roles over the other. Long story short we just got the ace load balancers which require a new attribute for users to log in properly. The nexus network-admin and vdc admin have been working for a long time... since adding the ace attribute shell:Admin=Admin default-domain the nexus no longer work :( Upon debug I get the following..

2012 Mar 1 09:01:20.168838 tacacs: tplus_decode_author_response: attribute 0 cisco-av-pair*shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.169116 tacacs: tplus_decode_author_response: attribute 1 cisco-av-pair*shell:roles*"network-admin vdc-admin"
2012 Mar 1 09:01:20.171334 tacacs: tplus_process_vsa: got VSA attribute:shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.171617 tacacs: tplus_process_vsa: got shell: home-dir: roles: uid:
2012 Mar 1 09:01:20.171904 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority

this will do this regardless of what order I put the attribute in? I searched cisco and did the obvious google search but I cant seem to find a reason it would take the one attribute over the other, when its not defined within the nexus.
http://danielhertzberg.wordpress.com - I blog about networks!

vivek283
CCIE #17621
Posts:
446
Joined:
Thu Oct 06, 2005 12:38 pm
Certs:
CCIE - Security, R&S. RHCE.

Re: Nexus and ACE on the same TACACS+ ACS server

Thu Mar 01, 2012 4:04 pm

Whats the ACS version ?

User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: Nexus and ACE on the same TACACS+ ACS server

Thu Mar 01, 2012 10:13 pm

5.3
http://danielhertzberg.wordpress.com - I blog about networks!

vivek283
CCIE #17621
Posts:
446
Joined:
Thu Oct 06, 2005 12:38 pm
Certs:
CCIE - Security, R&S. RHCE.

Re: Nexus and ACE on the same TACACS+ ACS server

Fri Mar 02, 2012 10:52 am

Changing

shell:Admin=Admin default-domain

to

shell:Admin*Admin default-domain

should help.

If not, you will need to use different authorization rules

'

Return to Cisco Security

Who is online

Users browsing this forum: Google [Bot] and 14 guests