07-15-2013 11:14 AM
Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3
As titled, currently under Admistration> Users, Roles & AAA > User Groups > Export Task List under Cisco PI 1.3
All the attributes is "=" which is mandatory
Anyway i can make this optional?
Reason being is because i want to use the same TACACS Username for Cisco PI 1.3, IOS and NX-OS devices. NX-OS devices requires shell profiles to be optional.
Thanks.
07-15-2013 12:37 PM
Hi Robert:
All are mandatory. If there were any that were optional, they would have been listed as such. Wish it was better news.
11-06-2013 08:57 AM
Robert-
If you create a separate service rule, you can have it fork TACACS authentication requests from that specific IP to a different Service identity and authorization process, where you can tell it to select a specific shell profile. Then all you have to do is create a separate shell profile for managing Prime and have that one selected. We do this with our UCS dvices, regular router/switch CLI logins, etc.
So for example:
UCS: TACACS request --> if match service selection rule "from UCS devices", go to UCS admin access policy --> if match ucs admin identiy reqirements, give UCS admin shell profile
PI: TACACS request --> if match service selection rule "from PI devices", go to PI admin access policy --> if match PI admin identiy reqirements (which are same as UCS), give PI admin shell profile
Default: TACACS request --> if match tacacs protocol from our IP range, go to default device admin policy --> if match defaul identy requirements, give default admin shell profile
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: