06-30-2017 10:08 AM
Hi,
For a customer POC, I have a question relating to what the custom attribute should look like for users accounts authenticating from an APIC GUI to ISE using Tacacs.
I have configured the network devices with a network device group, configured the Tacacs Profiles and configured the device admin policy sets. Based on searches, I’ve tried the following cisco av-pair=shell:domains = all/admin/,common//read-all and is not working.
Anyone able to share what the Profile Attributes that are required in a raw view format in the TACACS Profile? This would be simple if it was IOS with shell and privilege levels, but APIC is a web based GUI.
Any pointers would be appreciated.
Ian
Solved! Go to Solution.
06-30-2017 01:18 PM
In APIC you should see the roles you can assign on the Admin->Security Management->Roles screen. The admin role is used to grant full access. The read-all role is used for read-only access.
In ISE you assign a RAW profile result t assign the role:
shell:domains = all/admin/
or
shell:domains = all/read-all/
Note: the training slash has to be there for it to work. If you have multiple domains you can control access to the domains instead of saying "all" you would specify the domain they have access to. I haven't played around with multiple domains before in APIC and control their access but it should work.
06-30-2017 10:27 AM
Hi Ian,
Please check out the following article and stick to the format when you configure cisco-av-pair
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Configuring_TACACS_RADIUS_LDAP_for_ACI_Access.html#task_D0D8572AB60745F1BFEFE0A2800A1749
I am not sure if APIC supports this for all domains. First try giving specific domains and observe the behavior. If there is any logs in APIC turn it on.
Try RADIUS as well to isolate issue with attributes.
Thanks
Krishnan
06-30-2017 12:23 PM
CSCve33558 might have an impact.
06-30-2017 01:18 PM
In APIC you should see the roles you can assign on the Admin->Security Management->Roles screen. The admin role is used to grant full access. The read-all role is used for read-only access.
In ISE you assign a RAW profile result t assign the role:
shell:domains = all/admin/
or
shell:domains = all/read-all/
Note: the training slash has to be there for it to work. If you have multiple domains you can control access to the domains instead of saying "all" you would specify the domain they have access to. I haven't played around with multiple domains before in APIC and control their access but it should work.
02-06-2019 11:24 AM
Thank you so much for posting this out here!
I've been digging through Cisco documentation like crazy and not finding what we needed for the AV-Pair for the APIC's.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide