Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3

robert.lian · ‎07-15-2013

Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3

As titled, currently under Admistration> Users, Roles & AAA > User Groups > Export Task List under Cisco PI 1.3

All the attributes is "=" which is mandatory

Anyway i can make this optional?

Reason being is because i want to use the same TACACS Username for Cisco PI 1.3, IOS and NX-OS devices. NX-OS devices requires shell profiles to be optional.

Thanks.

Rollin Kibbe · ‎07-15-2013

Hi Robert:

All are mandatory. If there were any that were optional, they would have been listed as such. Wish it was better news.

Jon Glennie · ‎11-06-2013

Robert-

If you create a separate service rule, you can have it fork TACACS authentication requests from that specific IP to a different Service identity and authorization process, where you can tell it to select a specific shell profile. Then all you have to do is create a separate shell profile for managing Prime and have that one selected. We do this with our UCS dvices, regular router/switch CLI logins, etc.

So for example:

UCS: TACACS request --> if match service selection rule "from UCS devices", go to UCS admin access policy --> if match ucs admin identiy reqirements, give UCS admin shell profile

PI: TACACS request --> if match service selection rule "from PI devices", go to PI admin access policy --> if match PI admin identiy reqirements (which are same as UCS), give PI admin shell profile

Default: TACACS request --> if match tacacs protocol from our IP range, go to default device admin policy --> if match defaul identy requirements, give default admin shell profile