cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1422
Views
0
Helpful
5
Replies
Highlighted
Participant

tacacs+ av pair, multiple roles

Hi

i m looking for a solution to have multiple roles for the tacacs+ config on the ACS. (4.1) so that i can have cli read-write access on Nexus switches and also read-write (admin) on the UCS manager which is webbased.

is this possible? network-admin works on Nexus, but i m read-only if i log in to UCS manager.

Ive tried somethings in an ACS test group , but it doesn t work yet. 

Does someone know if this is possible and what syntax is correct?

I ve tried different kinds of syntax like this, but no luck yet. Only the first entry works, in this case admin aaa

cisco-av-pair*shell:roles="admin  aaa" shell:roles="network-admin"

Like i said, not sure if this is even possible

Thanks in advance! 

5 REPLIES 5
Highlighted
Participant

tacacs+ av pair, multiple roles

Hi

already found the solution:

this syntax does the trick

cisco-av-pair*shell:roles="network-admin  admin aaa"

Beginner

Re: tacacs+ av pair, multiple roles

Where we have to configure and apply these settings. Could you please help.

Sent from Cisco Technical Support iPad App

Highlighted
Cisco Employee

Re: tacacs+ av pair, multiple roles

Hi Veer Pratap,

What ACS code are you using (ACS 4.x or ACS 5.x)?

Configuring ACS 5.x to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 switch via TACACS

https://supportforums.cisco.com/docs/DOC-14273

In case you're using ACS 4.x then you can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

If you will be authenticating on both NX-OS and UCS devices, use * instead of = to make the role optional or the UCS devices will fail authorization.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Highlighted
Beginner

Re: tacacs+ av pair, multiple roles

Thanks Jatin, i have acs 4.1 ,i will just check and let you know if it works..

Sent from Cisco Technical Support iPad App

Highlighted
Cisco Employee

Re: tacacs+ av pair, multiple roles

Sure, let us know in case you need any further assistance.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal