You are on page 1of 6

Nexus Authorization Brief :-

IOS relies on privilege levels. Privilege levels (0-15) defines locally what level of access a user has when logged into an IOS device, i.e. what commands are permitted.

NX-OS uses a different concept for the same purpose, known as User Roles. User Roles contain rules that define the operations allowed for a particular user assigned to a role. There are default User Roles:

Network-AdminComplete read-and-write access to the entire NX-OS

Network-OperatorComplete read access to the entire NX-OS device

VDC-AdminRead-and-write access limited to a VDC

VDC-OperatorRead access limited to a VDC

Command authorization can be applied on nexus but it will disable the default user Roles based authorization(RBAC).

Configuration on acs:-

Configure the nexus ip address on AAA clients with protocol tacacs+. Configure a shared secret for the nexus client.

Configure the username and password on nexus to check the authentication.

If using user roles based control:-

Complete these steps:

  • 1. Navigate to Policy Elements > Authentication and Permissions > Device Administration > Shell Profiles in order to create a Shell Profile.

1. Enter a name for the profile. 2. Under the Custom Attributes tab, enter these values:
  • 1. Enter a name for the profile.

  • 2. Under the Custom Attributes tab, enter these values: Attribute: cisco-av-pair Requirement: Mandatory Value: shell:roles*"network-admin vdc-admin"

1. Enter a name for the profile. 2. Under the Custom Attributes tab, enter these values:
  • 1. Submit the changes in order to create an attribute-based role for the Nexus switch.

  • 2. Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, TACACS+ requests are processed by the Default Device Admin access policy.

  • 3. In the Conditions area, choose the appropriate conditions. In the Results area, choose the Nexus OS shell profile.

1. Submit the changes in order to create an attribute-based role for the Nexus switch. 2.

If using privilege level and command authorization based control:

Create shell profile with privilege level 15(for this example).

Create command set for all allowed commands(for this example).

Create access policy for the above policy elements.

Note: Command authorization disables user role based authorization control (RBAC), including the default roles.

Tacacs Configuration:

Create a local user on the Nexus switch with full privileges for fallback:

username admin privilege 15 password 0 xxxx

!--- Enable TACACS+ on the device.

feature tacacs+

tacacs-server host x.x.x.x key 7 xxxx

tacacs-server host x.x.x.x key 7 xxxx

!--- Provide the name of your ACS server.

aaa group server tacacs+ acs

!--- Mention the IP address of the tacacs-servers

server x.x.x.x

server x.x.x.x

tacacs-server directed-request

use-vrf management

source-interface mgmt0

Test authentication with the user created on acs:-

test aaa group group-name username password

If works, proceed with the configuration.

AAA Configuration on the nexus switch.

  • aaa authentication login default group acs

Note: Enables fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable. Fallback to local authentication is enabled by default.

  • aaa authentication login console group acs

  • aaa accounting default group acs

Note: exec authorization is by default enabled on nexus.

At this point test authentication:-

test aaa group group-name username password

If succeeds and requires command authorization on the nexus(command authorization must be configured on acs server).

  • If need command authorization:-

    • aaa authorization commands default acs

    • aaa authorization config-commands default acs

Note:- There is no authorization on the console session.

Note: Command authorization disables user role based authorization control (RBAC), including the default roles.

  • If you have enabled the accounting on the Nexus then NX-OS will not account the show commands, if you want to do the same then configure the given command. “'terminal log-all”

Troubleshooting the access requests and roles assigned to the user:-

  • check the role assigned to a user by running following command: switch# sho user-account user:admin roles:network-admin

account created through REMOTE authentication