Nexus Authorization Brief :-

IOS relies on privilege levels. Privilege levels (0-15) defines locally what level of access a user
has when logged into an IOS device, i.e. what commands are permitted.
NX-OS uses a different concept for the same purpose, known as User Roles. User Roles contain
rules that define the operations allowed for a particular user assigned to a role. There are default
User Roles:
Network-AdminComplete read-and-write access to the entire NX-OS
Network-OperatorComplete read access to the entire NX-OS device
VDC-AdminRead-and-write access limited to a VDC
VDC-OperatorRead access limited to a VDC
Command authorization can be applied on nexus but it will disable the default user Roles based
authorization(RBAC).
Configuration on acs:-
Configure the nexus ip address on AAA clients with protocol tacacs+. Configure a shared secret
for the nexus client.
Configure the username and password on nexus to check the authentication.
If using user roles based control:-

Complete these steps:
1. Navigate to Policy Elements > Authentication and Permissions > Device
Administration > Shell Profiles in order to create a Shell Profile.

1. Enter a name for the profile.
2. Under the Custom Attributes tab, enter these values:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"




1. Submit the changes in order to create an attribute-based role for the Nexus switch.
2. Create a new authorization rule, or edit an existing rule, in the correct access policy. By
default, TACACS+ requests are processed by the Default Device Admin access policy.
3. In the Conditions area, choose the appropriate conditions. In the Results area, choose the
Nexus OS shell profile.


If using privilege level and command authorization based control:
Create shell profile with privilege level 15(for this example).
Create command set for all allowed commands(for this example).
Create access policy for the above policy elements.
Note: Command authorization disables user role based authorization control (RBAC), including
the default roles.



Tacacs Configuration:

Create a local user on the Nexus switch with full privileges for fallback:
username admin privilege 15 password 0 xxxx


!--- Enable TACACS+on the device.
feature tacacs+
tacacs-server host x.x.x.x key 7 xxxx
tacacs-server host x.x.x.x key 7 xxxx
!--- Provide the name of your ACS server.
aaa group server tacacs+ acs
!--- Mention the I P address of the tacacs-servers
server x.x.x.x
server x.x.x.x
tacacs-server directed-request
use-vrf management
source-interface mgmt0
Test authentication with the user created on acs:-

test aaa group group-name username password

If works, proceed with the configuration.
AAA Configuration on the nexus switch.
aaa authentication login default group acs
Note: Enables fallback to local authentication for the default login if remote authentication is
configured and all AAA servers are unreachable. Fallback to local authentication is enabled by
default.
aaa authentication login console group acs
aaa accounting default group acs
Note: exec authorization is by default enabled on nexus.



At this point test authentication:-

test aaa group group-name username password
If succeeds and requires command authorization on the nexus(command authorization must be
configured on acs server).

If need command authorization:-
aaa authorization commands default acs
aaa authorization config-commands default acs
Note:- There is no authorization on the console session.
Note: Command authorization disables user role based authorization control (RBAC), including
the default roles.

If you have enabled the accounting on the Nexus then NX-OS will not account the show
commands, if you want to do the same then configure the given command. 'terminal
log-all

Troubleshooting the access requests and roles assigned to the user:-
check the role assigned to a user by running following command:
switch# sho user-account
user:admin
roles:network-admin
account created through REMOTE authentication