Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2560
Views
0
Helpful
5
Replies

tacacs+ av pair, multiple roles

Ton V Engelen
Level 3
Level 3

‎06-19-2013 06:10 AM - edited ‎03-10-2019 08:33 PM

Hi

i m looking for a solution to have multiple roles for the tacacs+ config on the ACS. (4.1) so that i can have cli read-write access on Nexus switches and also read-write (admin) on the UCS manager which is webbased.

is this possible? network-admin works on Nexus, but i m read-only if i log in to UCS manager.

Ive tried somethings in an ACS test group , but it doesn t work yet. 

Does someone know if this is possible and what syntax is correct?

I ve tried different kinds of syntax like this, but no luck yet. Only the first entry works, in this case admin aaa

cisco-av-pair*shell:roles="admin  aaa" shell:roles="network-admin"

Like i said, not sure if this is even possible

Thanks in advance! 

Labels:
0 Helpful
5 Replies 5

Ton V Engelen
Level 3
Level 3

‎06-19-2013 06:18 AM

Hi

already found the solution:

this syntax does the trick

cisco-av-pair*shell:roles="network-admin  admin aaa"

0 Helpful

veer.pratap
Level 1
Level 1
In response to Ton V Engelen

‎07-23-2013 06:53 AM

Where we have to configure and apply these settings. Could you please help.

Sent from Cisco Technical Support iPad App

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to veer.pratap

‎07-23-2013 07:08 AM

Hi Veer Pratap,

What ACS code are you using (ACS 4.x or ACS 5.x)?

Configuring ACS 5.x to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 switch via TACACS

https://supportforums.cisco.com/docs/DOC-14273

In case you're using ACS 4.x then you can configure this attribute per user or per group.

First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".

Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.

If you will be authenticating on both NX-OS and UCS devices, use * instead of = to make the role optional or the UCS devices will fail authorization.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

veer.pratap
Level 1
Level 1
In response to Jatin Katyal

‎07-23-2013 07:52 AM

Thanks Jatin, i have acs 4.1 ,i will just check and let you know if it works..

Sent from Cisco Technical Support iPad App

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to veer.pratap

‎07-23-2013 07:57 AM

Sure, let us know in case you need any further assistance.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents