topic Re: TACACS tac_plus Configuration AV-PAIR for CISCO ACI in Network Access Control

TACACS tac_plus Configuration AV-PAIR for CISCO ACI

caemcaetano — Tue, 22 Mar 2022 23:34:58 GMT

Hello All!

Hope you all are doing ok!

Does someone already had to change your tac_plus.conf file to insert the av pair in order to allow tacacs authentication in Cisco ACI ( APIC and switches[Spine/Leaf]) ?

I'am trying to edit inserting the av-pair as documented but not sure if should do it inside the brackets of 'service exec' session or create a new session.

I'am doing inside the group session for my network administrators.

I've tried this way below and didn't work:

group = networkadmins {
        default service = permit
        service = exec {
                priv-lvl = 15
                optional brcd-role = "admin"
        }
        service = cisco-aci {
        cisco-av-pair = "shell:domains=all/custom-role-tacacs-admin/custom-role-tacacs-read-all|aaa"
        }
        service = junos-exec {
                        local-user-name = netmanager
        }
}

=================================================================

Also tried this way inside the exec:

group = networkadmins {
        default service = permit
        service = exec {
                priv-lvl = 15
                optional brcd-role = "admin"
                cisco-av-pair = "shell:domains=all/custom-role-tacacs-admin/custom-role-tacacs-read-all|aaa"
        }
        service = junos-exec {
                        local-user-name = netmanager
        }
}

Does anyone has an example of tacacs configuration(tacacs server side) for this cisco-av-pair in order to use with Cisco ACI ?

Re: TACACS tac_plus Configuration AV-PAIR for CISCO ACI

Peter Koleff — Tue, 04 Oct 2022 04:37:49 GMT

Was looking for something else and came across your post, bit late but here's how I have it set up:

group = cisco-aci-admins { default service = permit service = shell { set shell:domains = "all/admin/" set priv-lvl = 15 } } group = cisco-aci-readonly { default service = permit service = shell { set shell:domains = "all//read-all" set priv-lvl = 15 } }

Re: TACACS tac_plus Configuration AV-PAIR for CISCO ACI

Emiliano Almonacid — Mon, 21 Jul 2025 22:23:24 GMT

Hi, I'm struggling with this integration.

Even though I have it as you indicated, it doesn't work. Perhaps it's different in the latest version?

APIC version: 6.0(9d)
FreeTacacs Version: F4.0.4.27a
###ACI GROUP###
group = cisco-aci-admins {
default service = permit
service = shell {
set = "shell:domains=all/admin/"
set = "priv-lvl=15"
}
}

I would appreciate it if you could help me.