Cisco Nexus AAA

I spent quite a bit of time integrating some nexus switches into Cisco ACS. So wanted to share a couple of notes. I will be talking a lot about NX-OS RBAC rolls so here is a good primer if you are not familiar with it.

Network-operator is the default role.

If your AAA Server doesn’t define any role for the Authenticated user you will get Netw0rk-Operator by default.

Locally defined roles (authorization) will take effect.

So if a Tacas user is authenticated and has the same username as a locally defined user account. The local user role will take effect.

Shell roles

From ACS you need to return shell roles to define the authorization form TACAS. The attributes you want are.

Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*network-admin vdc-admin