cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

160
Views
0
Helpful
0
Replies
Highlighted
Beginner

Tacacs+ Shell Profiles for both IOS, IOS-XE and IOS-XR

Hi

 

I am working on implementing Cisco ISE as our Tacacs+ server in our company.

 

We have a mixed infrastructure with both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices.

 

Right now, I am working on building the Policy Sets and belonging Tacacs Shell Profiles.

 

In my Tacacs shell profile (Privilige 15) I have configured a custom attribute for Cisco IOS-XR Taskgroup:

Type

Name

Value

MANDATORY

task

rwx:,#operator

 

Raw Profile Attributes:

priv-lvl=15

task=rwx:,#operator

 

When I use this Tacacs shell profile for Cisco IOS-XR devices it works great, but when I use the same Tacacs shell profile for Cisco IOS or Cisco IOS-XE devices it does not work.

 

For the Cisco IOS and Cisco IOS-XE devices the Tacacs login fails with error message: % Authorization failed

 

In the debug messages it say:

TPLUS: Processing the reply packet

TPLUS: Processed AV priv-lvl=15

TPLUS: Failed to decode unknown AV task=rwx:,#operator - FAIL

AAA/AUTHOR/EXEC(0000017D): Authorization FAILED

 

I then removed the custom attribute (taskgroup) from the Tacacs shell profile and then it works with Cisco IOS and Cisco IOS-XE – but of course not on Cisco IOS-XR devices.

 

It looks like the Cisco IOS and Cisco IOS-XE devices not understand and not ignore the included custom attribute in the Tacacs reply.

 

I want to hear if anyone have experience with using the same Tacacs shell profile for both Cisco IOS, Cisco IOS-XE and Cisco IOS-XR devices?

 

Any idea?

 

Thanks in advance.

Everyone's tags (3)