05-12-2024 07:13 PM - edited 05-12-2024 11:31 PM
If you look at the tacacs profile as shown in the picture, there are custom characteristics
I wonder how this works.
In the case of other banders, I understand that tacacs are linked using these attributes
If you add a value here, compare it with the corresponding custom attributes value for the equipment, and if it is the same, the above
Will the account receive the Privilege value?
Solved! Go to Solution.
05-13-2024 06:06 AM
Hello @CCC3
In TACACS+, custom attributes can be defined to carry additional information beyond the standard username and password. These attributes can be used for various purposes, including defining privilege levels for users.
How it work ?
Custom attributes: These are additional pieces of information sent along with the authentication request. In your case, you're talking about custom attributes in a TACACS profile.
Comparing custom atributes: When a user tries to authenticate with a network device (like a router or switch), the TACACS server checks the custom attributes provided by the client against its configured values.
Privilege Levels: Based on the comparison of these attributes, the TACACS server determines the privilege level the user should have. This privilege level determines what actions the user can perform on the device.
Authorization: Once the user is authenticated, the device checks with the TACACS server to determine what level of access the user should have. If the custom attribute values match those configured on the TACACS server, the user is granted the corresponding privilege level.
So, in your case, if a custom attribute value in the TACACS profile matches the value configured for the user on the TACACS server, then the user would receive the corresponding privilege level when they authenticate with the device. This process allows for fine-grained control over user access and privileges on network devices.
05-12-2024 10:59 PM
Hello,
what is the context of your question ? Looks like you did not upload the picture you mention in your post...
05-12-2024 11:39 PM
The screenshot was missing.
I've added it.
05-13-2024 02:08 AM
Hello,
I am not really sure I understand what you are asking. The custom attributes are additional attributes...the privilege level can be set in the common attributes section. Can you clarify your question ? (if English is not your first language, just post your question in your own language, and we can translate...)
05-12-2024 11:24 PM
Sorry there is no attachment
MHM
05-13-2024 02:32 AM
05-13-2024 06:06 AM
Hello @CCC3
In TACACS+, custom attributes can be defined to carry additional information beyond the standard username and password. These attributes can be used for various purposes, including defining privilege levels for users.
How it work ?
Custom attributes: These are additional pieces of information sent along with the authentication request. In your case, you're talking about custom attributes in a TACACS profile.
Comparing custom atributes: When a user tries to authenticate with a network device (like a router or switch), the TACACS server checks the custom attributes provided by the client against its configured values.
Privilege Levels: Based on the comparison of these attributes, the TACACS server determines the privilege level the user should have. This privilege level determines what actions the user can perform on the device.
Authorization: Once the user is authenticated, the device checks with the TACACS server to determine what level of access the user should have. If the custom attribute values match those configured on the TACACS server, the user is granted the corresponding privilege level.
So, in your case, if a custom attribute value in the TACACS profile matches the value configured for the user on the TACACS server, then the user would receive the corresponding privilege level when they authenticate with the device. This process allows for fine-grained control over user access and privileges on network devices.
05-15-2024 08:12 PM
Thank you for your answer.
If there is a specific account of the equipment in the custom attributes value
Is it correct to understand that when logging in with that account on the equipment, ise checks the account with the custom attributes value and gives you certain privileges?
05-16-2024 12:54 AM
You're welvome @CCC3
When a user logs into a network device authenticated through TACACS+, the TACACS+ server, often integrated with ISE, evaluates the user's credentials and any associated custom attributes. If the user's account has specific custom attributes configured, such as privilege levels or command restrictions, and they match the values set on the device, the server grants corresponding privileges. So, during login, ISE checks the account against these attributes and assigns the appropriate privileges based on the configured policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide