I cant seem to figure out why this is preferring one of the roles over the other. Long story short we just got the ace load balancers which require a new attribute for users to log in properly. The nexus network-admin and vdc admin have been working for a long time... since adding the ace attribute shell:Admin=Admin default-domain the nexus no longer work Upon debug I get the following..
2012 Mar 1 09:01:20.168838 tacacs: tplus_decode_author_response: attribute 0 cisco-av-pair*shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.169116 tacacs: tplus_decode_author_response: attribute 1 cisco-av-pair*shell:roles*"network-admin vdc-admin"
2012 Mar 1 09:01:20.171334 tacacs: tplus_process_vsa: got VSA attribute:shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.171617 tacacs: tplus_process_vsa: got shell: home-dir: roles: uid:
2012 Mar 1 09:01:20.171904 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority
this will do this regardless of what order I put the attribute in? I searched cisco and did the obvious google search but I cant seem to find a reason it would take the one attribute over the other, when its not defined within the nexus.