Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Cisco Prime Device Access Control via TACACS Authentication


I have deployed a Cisco Prime Lan Management Server and I have configure for TACACS authentication and authorization for users accessing the Prime box via Cisco ACSv5.2. As I have two groups of users, I would like to restrict the access right to the Cisco Prime for these two groups of users (access rights of Helpdesk for one group and Super Admin for another group). I am able to authencated successfully via the Cisco ACSv5.2 however I am always seem to be given the rights of Helpdesk only.

Please advice.

Many Thanks in Advance.




If this is the replacement for CiscoWorks (which i am sure is) you can only authenticate local users in the Prime database with ACS, meaning that you will have to set the same username depending on which database you will use (ACS local db or AD).

So if you have a user named ADuser in Active directory, create a local user account on Prime and map them to the role or group you want them have access to. Configure the tacacs module and then build your ACS so it authenticates the user via AD or local database. Once you login use the AD password and see if the user is mapped in the proper role.

Hope that helps.

Tarik Admani
*Please rate helpful posts*


Hi tarik

I want to integrate the Prime Infrastructure 1.3 with ACS 5.x.

The ACS 5.x authenticates using Active Directory. All devices on the network are configured

to use the ACS 5.x so every user can access or denied to the devices based on their access rights.

I want to have the same way for access to the Prime Infrastructure.

You said that for this besides configure the authorizations on the shell profile on the ACS for

the various different roles we need to create the users locally on the PI?

Thats is really needed?

How we match the autorization groups on the AD and the roles defined on the PI and on the ACS?

I have read several DOCs but not sure if its really possible to give authorizations to the users

from AD based on their asigned AD group.

Thanks in advance

Content for Community-Ad