10-27-2015 12:00 PM
From my understanding the Cisco Nexus 7000 supports role based access control (RBAC) for authorization. So you can pass it network-admin or network-operator roles for authorization, something along the lines of shell:roles = "network-operator". I tried doing this via clearpass but I just get regular admin access. Has anyone gotten this to work and if so can you share your setup or any pointers please?
Solved! Go to Solution.
10-27-2015 12:45 PM
Errr, never mind. In the cisco docs I saw shell:roles="network-operator vdc-admin" and this didn't work.
Then after I posted I found a doc that had "Network-Operator" with the caps, and this worked.
03-30-2016 07:54 AM - edited 03-30-2016 07:55 AM
Did you modify the shell TACACS dictionary yourself? As the "roles" string is not built in the existing CPPM TACACS Shell dictionary. I assume it would be a String type.
Can you take a screenshot of the enforcement profile you have working with this?
03-31-2016 05:38 AM
I did this as part of a proof of concept test so the configuration has been subsequently removed and sorry I don't remember all the details of getting it to work. I don't think I changed the tacacs dictionary though. If can find out what I did to make it work I'll post it here.
04-04-2016 05:40 AM
I tested with n5k, tried all different ways but unable to get it to work. Debug result is not showing in ascii so i am able to figure out what's clearpass is sending to n5k. Authentication is successful, but is not able to get network-admin to work.
Appreciate if anyone got it working can share the secret.
Partial out of debug..
2016 Apr 4 02:55:20.904327 tacacs: analyze_tac_resp_sent_aaa_resp_mts: entering for aaa session 0
2016 Apr 4 02:55:20.904364 tacacs: analyze_tac_resp_sent_aaa_resp_mts:received resp(before decrypt):
2016 Apr 4 02:55:20.904394 tacacs: in tac payload len:17
2016 Apr 4 02:55:20.904424 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 a1 32 e1 48 1
2016 Apr 4 02:55:20.904455 tacacs: tplus_decrypt: TPLUS_ENCRYPTED for aaa session 0
2016 Apr 4 02:55:20.904493 tacacs: analyze_tac_resp_sent_aaa_resp_mts: received resp(after decrypt):
2016 Apr 4 02:55:20.904522 tacacs: in tac payload len:17
2016 Apr 4 02:55:20.904552 tacacs: in tac payload(hex): c0 3 2 0 52 bb 8f 5a 0 0 0 5 0 0 0 0 1
2016 Apr 4 02:55:20.904583 tacacs: analyze_tac_resp_sent_aaa_resp_mts:TAC type and acct status : 0x3, 0x1 for aaa session 0
2016 Apr 4 02:55:20.904623 tacacs: send_aaa_acct_pass_resp_mts: entering for aaa session 0