Thursday, May 5, 2016

HOWTO: The HP virtual connect role AAA cisco ACS 5.8

The HP vc chassis has  predefined 4 roles ;


By default the local admin as  all 4 role which give RW in all 4 areas. When crafting a local user, you have to define a role or multiple roles.

In cisco ACS we can do  the same by issuance of the "autocmd" in a custom attribute for the shell-profile. if you list ALL 4 of the above roles you will gain access for RW for all 4 roles



if you don't define that role you get "RO" access to  that role function also you don't need the mistaken  hp-vc-mgmt attribute in  cisco ACS 5.X

Here's a few snapshost and  screen view of the landing page when you login and the permissions you have.

e.g  ( all 4 roles )

cisco ACS

HP-VC-landing page ( see roles defined on left and the manage/view columns RW/RO

( just2 domain + network )

cisco ACS


And finally if we dfine "NO" roles we will get RO

HP-VC landing page when we have nothing defined.

So  that's how you do it. Keep in mind you control  roles defined via the autocmd and custom attributes in the shell profile.

I haven't yet figure out a means for issuance of a "show user *" cmd and to current remote-user and the role access  in HP-VC version  " v4.45"

Also if you make any typo in the custom attribute, you can brick that access.  So 1> ensure the role is correct  2> lower case 3> don't string the roles

if you have type or mix or uppercase this is what happens

( cisco ACS autocmd with intentional typo in the form of uppercase )

( And now the HP Virtual Connect falls back to RO for the roles that where not define correctly )

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment