Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3941
Views
24
Helpful
4
Replies

ISE - TACACS custom attributes with APIC

Go to solution
iagyte
Cisco Employee
Cisco Employee

‎06-30-2017 10:08 AM

Hi,

For a customer POC, I have a question relating to what the custom attribute should look like for users accounts authenticating from an APIC GUI to ISE using Tacacs.

I have configured the network devices with a network device group, configured the Tacacs Profiles and configured the device admin policy sets. Based on searches, I’ve tried the following cisco av-pair=shell:domains = all/admin/,common//read-all and is not working.

Anyone able to share what the Profile Attributes that are required in a raw view format in the TACACS Profile? This would be simple if it was IOS with shell and privilege levels, but APIC is a web based GUI.

Any pointers would be appreciated.

Ian

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎06-30-2017 01:18 PM

In APIC you should see the roles you can assign on the Admin->Security Management->Roles screen.  The admin role is used to grant full access.  The read-all role is used for read-only access.


In ISE you assign a RAW profile result t assign the role:

shell:domains = all/admin/

or

shell:domains = all/read-all/

Note: the training slash has to be there for it to work.  If you have multiple domains you can control access to the domains instead of saying "all" you would specify the domain they have access to.  I haven't played around with multiple domains before in APIC and control their access but it should work.

View solution in original post

4 Replies 4

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-30-2017 10:27 AM

Hi Ian,

Please check out the following article and stick to the format when you configure cisco-av-pair

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Configuring_TACACS_RADIUS_LDAP_for_ACI_Access.html#task_D0D8572AB60745F1BFEFE0A2800A1749

I am not sure if APIC supports this for all domains. First try giving specific domains and observe the behavior. If there is any logs in APIC turn it on.

Try RADIUS as well to isolate issue with attributes.

Thanks

Krishnan

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-30-2017 12:23 PM

CSCve33558 might have an impact.

Go to solution
paul
Level 10
Level 10

‎06-30-2017 01:18 PM

In APIC you should see the roles you can assign on the Admin->Security Management->Roles screen.  The admin role is used to grant full access.  The read-all role is used for read-only access.


In ISE you assign a RAW profile result t assign the role:

shell:domains = all/admin/

or

shell:domains = all/read-all/

Note: the training slash has to be there for it to work.  If you have multiple domains you can control access to the domains instead of saying "all" you would specify the domain they have access to.  I haven't played around with multiple domains before in APIC and control their access but it should work.

Go to solution
Travis Stroebele
Level 1
Level 1
In response to paul

‎02-06-2019 11:24 AM

Thank you so much for posting this out here!

 

I've been digging through Cisco documentation like crazy and not finding what we needed for the AV-Pair for the APIC's.

 

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents