https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548322#M528775 <HTML><HEAD></HEAD><BODY><P>CSCve33558 might have an impact.</P></BODY></HTML> Fri, 30 Jun 2017 19:23:53 GMT hslai 2017-06-30T19:23:53Z https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548320#M528773 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For a customer POC, I have a question relating to <STRONG>what the custom attribute should look like</STRONG> for users accounts authenticating from an APIC GUI to <STRONG>ISE using Tacacs</STRONG>. </P><P></P><P>I have configured the network devices with a network device group, configured the Tacacs Profiles and configured the device admin policy sets. Based on searches, I’ve tried the following cisco av-pair=shell:domains = all/admin/,common//read-all and is not working.</P><P></P><P>Anyone able to share what the Profile Attributes that are required in a raw view format in the TACACS Profile? This would be simple if it was IOS with shell and privilege levels, but APIC is a web based GUI.</P><P></P><P>Any pointers would be appreciated.</P><P></P><P>Ian</P></BODY></HTML> Fri, 30 Jun 2017 17:08:09 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548320#M528773 iagyte 2017-06-30T17:08:09Z https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548321#M528774 <HTML><HEAD></HEAD><BODY><P>Hi Ian,</P><P></P><P>Please check out the following article and stick to the format when you configure cisco-av-pair</P><P>http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Configuring_TACACS_RADIUS_LDAP_for_ACI_Access.html#task_D0D8572AB60745F1BFEFE0A2800A1749</P><P></P><P>I am not sure if APIC supports this for all domains. First try giving specific domains and observe the behavior. If there is any logs in APIC turn it on.</P><P>Try RADIUS as well to isolate issue with attributes.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Fri, 30 Jun 2017 17:27:36 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548321#M528774 kthiruve 2017-06-30T17:27:36Z https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548322#M528775 <HTML><HEAD></HEAD><BODY><P>CSCve33558 might have an impact.</P></BODY></HTML> Fri, 30 Jun 2017 19:23:53 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548322#M528775 hslai 2017-06-30T19:23:53Z https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548323#M528776 <HTML><HEAD></HEAD><BODY><P>In APIC you should see the roles you can assign on the <SPAN style="font-size: 10pt;"> </SPAN><STRONG style="font-size: 10pt;">Admin-&gt;Security Management-&gt;Roles</STRONG><SPAN style="font-size: 10pt;"> screen.&nbsp; The admin role is used to grant full access.&nbsp; The read-all role is used for read-only access.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">In ISE you assign a RAW profile result t assign the role:<BR /></SPAN></P><P>shell:domains = all/admin/</P><P></P><P>or</P><P></P><P>shell:domains = all/read-all/</P><P></P><P>Note: the training slash has to be there for it to work.&nbsp; If you have multiple domains you can control access to the domains instead of saying "all" you would specify the domain they have access to.&nbsp; I haven't played around with multiple domains before in APIC and control their access but it should work.</P></BODY></HTML> Fri, 30 Jun 2017 20:18:05 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3548323#M528776 paul 2017-06-30T20:18:05Z https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3796205#M528777 <P>Thank you so much for posting this out here!</P> <P>&nbsp;</P> <P>I've been digging through Cisco documentation like crazy and not finding what we needed for the AV-Pair for the APIC's.</P> <P>&nbsp;</P> <P>Thanks again!</P> Wed, 06 Feb 2019 19:24:52 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-custom-attributes-with-apic/m-p/3796205#M528777 Travis Stroebele 2019-02-06T19:24:52Z