Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2701
Views
0
Helpful
1
Replies

TACACS tac_plus Configuration AV-PAIR for CISCO ACI

Go to solution
caemcaetano
Level 1
Level 1

‎03-22-2022 04:34 PM

Hello All!

 

Hope you all are doing ok!

 

Does someone already had to change your tac_plus.conf file to insert the av pair in order to allow tacacs authentication in Cisco ACI ( APIC and switches[Spine/Leaf]) ?

I'am trying to edit inserting the av-pair as documented but not sure if should do it inside the brackets of 'service exec' session or create a new session.

I'am doing inside the group session for my network administrators.

 

I've tried this way below and didn't work:

group = networkadmins {
        default service = permit
        service = exec {
                priv-lvl = 15
                optional brcd-role = "admin"
        }
        service = cisco-aci {
        cisco-av-pair = "shell:domains=all/custom-role-tacacs-admin/custom-role-tacacs-read-all|aaa"
        }
        service = junos-exec {
                        local-user-name = netmanager
        }
}
=================================================================
 
Also tried this way inside the exec:
 
group = networkadmins {
        default service = permit
        service = exec {
                priv-lvl = 15
                optional brcd-role = "admin"
                cisco-av-pair = "shell:domains=all/custom-role-tacacs-admin/custom-role-tacacs-read-all|aaa"
        }
        service = junos-exec {
                        local-user-name = netmanager
        }
}
 
Does anyone has an example of tacacs configuration(tacacs server side) for this cisco-av-pair in order to use with Cisco ACI ?
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Koleff
Level 1
Level 1

‎10-03-2022 09:37 PM

Was looking for something else and came across your post, bit late but here's how I have it set up:

 

    group = cisco-aci-admins {
        default service = permit
        service = shell {
            set shell:domains = "all/admin/"
            set priv-lvl = 15
        }
    }

    group = cisco-aci-readonly {
        default service = permit
        service = shell {
            set shell:domains = "all//read-all"
            set priv-lvl = 15
        }
    }

 

 

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Peter Koleff
Level 1
Level 1

‎10-03-2022 09:37 PM

Was looking for something else and came across your post, bit late but here's how I have it set up:

 

    group = cisco-aci-admins {
        default service = permit
        service = shell {
            set shell:domains = "all/admin/"
            set priv-lvl = 15
        }
    }

    group = cisco-aci-readonly {
        default service = permit
        service = shell {
            set shell:domains = "all//read-all"
            set priv-lvl = 15
        }
    }

 

 

 

0 Helpful
Customers Also Viewed These Support Documents