I cant seem to figure out why this is preferring one of the roles over the other. Long story short we just got the ace load balancers which require a new attribute for users to log in properly. The nexus network-admin and vdc admin have been working for a long time... since adding the ace attribute shell:Admin=Admin default-domain the nexus no longer work Upon debug I get the following..

2012 Mar 1 09:01:20.168838 tacacs: tplus_decode_author_response: attribute 0 cisco-av-pair*shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.169116 tacacs: tplus_decode_author_response: attribute 1 cisco-av-pair*shell:roles*"network-admin vdc-admin"
2012 Mar 1 09:01:20.171334 tacacs: tplus_process_vsa: got VSA attribute:shell:Admin=Admin default-domain
2012 Mar 1 09:01:20.171617 tacacs: tplus_process_vsa: got shell: home-dir: roles: uid:
2012 Mar 1 09:01:20.171904 tacacs: tplus_decode_author_response: privilege level is not specifiedor if specified, roles has been given priority

this will do this regardless of what order I put the attribute in? I searched cisco and did the obvious google search but I cant seem to find a reason it would take the one attribute over the other, when its not defined within the nexus.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

Whats the ACS version ?

5.3

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

Changing

shell:Admin=Admin default-domain

to

shell:Admin*Admin default-domain

should help.

If not, you will need to use different authorization rules