07-15-2013 11:14 AM
Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3
As titled, currently under Admistration> Users, Roles & AAA > User Groups > Export Task List under Cisco PI 1.3
All the attributes is "=" which is mandatory
Anyway i can make this optional?
Reason being is because i want to use the same TACACS Username for Cisco PI 1.3, IOS and NX-OS devices. NX-OS devices requires shell profiles to be optional.
Thanks.
07-15-2013 12:37 PM
Hi Robert:
All are mandatory. If there were any that were optional, they would have been listed as such. Wish it was better news.
11-06-2013 08:57 AM
Robert-
If you create a separate service rule, you can have it fork TACACS authentication requests from that specific IP to a different Service identity and authorization process, where you can tell it to select a specific shell profile. Then all you have to do is create a separate shell profile for managing Prime and have that one selected. We do this with our UCS dvices, regular router/switch CLI logins, etc.
So for example:
UCS: TACACS request --> if match service selection rule "from UCS devices", go to UCS admin access policy --> if match ucs admin identiy reqirements, give UCS admin shell profile
PI: TACACS request --> if match service selection rule "from PI devices", go to PI admin access policy --> if match PI admin identiy reqirements (which are same as UCS), give PI admin shell profile
Default: TACACS request --> if match tacacs protocol from our IP range, go to default device admin policy --> if match defaul identy requirements, give default admin shell profile
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide