Solved: acs 5.4 tacacs authorization asr 9001

Yoram Baruchian · ‎08-20-2013

Hi

can someone help with tacacs attributes to authoriezed users on cisco asr 9001(ios/xr)

thanks

Yoram

Amjad Abdullah · ‎08-22-2013

You need to know the command you try to issue belogns to which task.

Then, you need to know the task is mentioned under which task group.

check this link to see how to perform the above:

https://supportforums.cisco.com/docs/DOC-15944

Then you need to configure the TACACS+ server to return the attribute that puts the task under the user privilege:

see here: http://goo.gl/7YP5zu

I am using the following command in the ACS server under the user group config (we have 4.2 version):

task=rwx:admin,#cisco-support,#root-system

This will the user inherit the read, write and execute access to the task "admin" and will put the user as part of the local (defined locally on the router) "cisco-support" and "root-system" user groups.

NOTE: we have done two things above. inherit the access to the task AND put the user as part of chosen local groups. I am not sure if one can be used without the other.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎08-22-2013

We do value rating the replies. non-useful replies can be marked with 1 or 2 starts also.

You need to edit hte shell profile and go to the Custom Attributes tab. there you can add the task manually (either using the fields below and press "Add" button. Or you can press the "Bulk edit" button and enter something like:

task=rwx:admin,#cisco-support,#root-system

It will be eventually converted to the format you see below in the screenshot.

NOTE: You need to know what task and what user group your users should be assigned and use that in the text format you add to ACS.

the above attribute is just an example.

HTH

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎08-22-2013

Hi,

what do you exactly need?

Rating useful replies is more useful than saying "Thank you"

Yoram Baruchian · ‎08-22-2013

Hi Amjad

i want to give users full access to the machine like a local admin users ( all tasks)

at this time when a user log in (via tacacs) and issue the command "sh task" there are no tasks assigned to him.

i tried to configure it via policy element ••à device admin --> shell profile but with no luck.

Amjad Abdullah · ‎08-22-2013

Hi Yoram,

What did you write in the shell profile? any document that you followed?

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎08-22-2013

You need to know the command you try to issue belogns to which task.

Then, you need to know the task is mentioned under which task group.

check this link to see how to perform the above:

https://supportforums.cisco.com/docs/DOC-15944

Then you need to configure the TACACS+ server to return the attribute that puts the task under the user privilege:

see here: http://goo.gl/7YP5zu

I am using the following command in the ACS server under the user group config (we have 4.2 version):

task=rwx:admin,#cisco-support,#root-system

This will the user inherit the read, write and execute access to the task "admin" and will put the user as part of the local (defined locally on the router) "cisco-support" and "root-system" user groups.

NOTE: we have done two things above. inherit the access to the task AND put the user as part of chosen local groups. I am not sure if one can be used without the other.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Yoram Baruchian · ‎08-22-2013

Hi Amjad

i already read that doc

i am using the vmware version acs 5.4

i did not find where to configur that attribute ":task=rwx:admin,#cisco-support,#root-system"

Yoram Baruchian · ‎08-22-2013

Hi Amjad

Thanks for your help

it was my mistake at the acs side (command sets)

Amjad Abdullah · ‎08-22-2013

Hi Yoram.

Great news. I was writing the reply to you and post it also.
Hope it will be useful to other people as I already included a screenshot.

Regards,

Amjad

P.S: thanks for marking the correct answer.

Rating useful replies is more useful than saying "Thank you"

shrikantupadhyay · ‎10-14-2015

Hi,,

i have created the task group in ASR9K.

i have already integrated ACS 5.4 now i nee to to allow a user only for read access.

i am unable to identify what i need to configure in shell profile of the ACS 5.4

please see the task group below.

taskgroup xxx
task read acl
task read bgp
task read admin
task read static
task read monitor
task read network
task read interface
task read inventory
task read route-map
task read basic-services

Thanks and Regards

Faiz Ahmad

Amjad Abdullah · ‎08-22-2013

We do value rating the replies. non-useful replies can be marked with 1 or 2 starts also.

You need to edit hte shell profile and go to the Custom Attributes tab. there you can add the task manually (either using the fields below and press "Add" button. Or you can press the "Bulk edit" button and enter something like:

task=rwx:admin,#cisco-support,#root-system

It will be eventually converted to the format you see below in the screenshot.

NOTE: You need to know what task and what user group your users should be assigned and use that in the text format you add to ACS.

the above attribute is just an example.

HTH

Rating useful replies is more useful than saying "Thank you"

Yoram Baruchian · ‎08-22-2013

Hi Amjad

many thanks agian

it was more then usefull

Amjad Abdullah · ‎08-22-2013

Thanks Yoman you are most welcome.

Can you share with us what task and what user group you used? if someone faces same your issue it will be useful to them.

Rating useful replies is more useful than saying "Thank you"