Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
1
Replies

CIMC TACACS+ issue providing read-only access for privileged accounts.

Go to solution
jerryburns
Level 1
Level 1

‎11-13-2023 04:22 AM - edited ‎11-13-2023 05:51 AM

Hi folks. 

I've been looking at adding a CIMC for an ACI APIC to TACACS / ISE. It's currently running on 4.1(3f) so does support TACACS+ (supported since 4.1(3b)). 

The ISE server already has several CIMC devices authenticating against it (although these are non-ACI, for whatever that's worth).

It has been confirmed that the non-working device is hitting the same CIMC-Tacacs>>Full-Access authorization policy on ISE that a working device is hitting.

It has been confirmed both the non-working and working CIMC are configured the same at the CIMC-end (enabled, same ISE servers listed, etc.).

When logging into the working device, all works as expected. The privileged user is able to make changes.

But when logging into the non-working device using the same privileged account, changes cannot be made. Insufficient privileges message is received.

Worth noting that the working device is on a slightly newer code (4.2(2f)). 

I did search for known bugs relating to CIMC TACACS privileges but have been unsuccessful. Any ideas would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jerryburns
Level 1
Level 1

‎12-28-2023 01:27 AM

This has been resolved with Cisco TAC. The following details I am copying from the case (SR 696571024) should they prove useful for anyone else:

  • Problem description:  CIMC TACACS with av pair (admin) is not giving admin privileges.
  • Resolution summary:
    After checking in the LAB, we found the following:
    shell:roles=”admin” on version 4.2(2a), was working fine with admin privileges.

I also tested the following av pair on version 4.1(3f):

  • shell:roles=admin >> Did not work and got the read only privileges:
  • shell:roles=”admin” >> Did work and got the admin privileges:

 

By these tests, this confirms this bug: https://cdetsng.cisco.com/summary/#/defect/CSCwi38236

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jerryburns
Level 1
Level 1

‎12-28-2023 01:27 AM

This has been resolved with Cisco TAC. The following details I am copying from the case (SR 696571024) should they prove useful for anyone else:

  • Problem description:  CIMC TACACS with av pair (admin) is not giving admin privileges.
  • Resolution summary:
    After checking in the LAB, we found the following:
    shell:roles=”admin” on version 4.2(2a), was working fine with admin privileges.

I also tested the following av pair on version 4.1(3f):

  • shell:roles=admin >> Did not work and got the read only privileges:
  • shell:roles=”admin” >> Did work and got the admin privileges:

 

By these tests, this confirms this bug: https://cdetsng.cisco.com/summary/#/defect/CSCwi38236

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License