Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
8
Replies

I don't understand how TACACS Profiles works.

Go to solution
CCC3
Level 1
Level 1

‎05-12-2024 07:13 PM - edited ‎05-12-2024 11:31 PM

If you look at the tacacs profile as shown in the picture, there are custom characteristics

I wonder how this works.

In the case of other banders, I understand that tacacs are linked using these attributes

If you add a value here, compare it with the corresponding custom attributes value for the equipment, and if it is the same, the above

Will the account receive the Privilege value?

Labels:
Preview file
649 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎05-13-2024 06:06 AM

Hello @CCC3 

In TACACS+, custom attributes can be defined to carry additional information beyond the standard username and password. These attributes can be used for various purposes, including defining privilege levels for users.

How it  work ?

Custom attributes: These are additional pieces of information sent along with the authentication request. In your case, you're talking about custom attributes in a TACACS profile.

Comparing custom atributes: When a user tries to authenticate with a network device (like a router or switch), the TACACS server checks the custom attributes provided by the client against its configured values.

Privilege Levels: Based on the comparison of these attributes, the TACACS server determines the privilege level the user should have. This privilege level determines what actions the user can perform on the device.

Authorization: Once the user is authenticated, the device checks with the TACACS server to determine what level of access the user should have. If the custom attribute values match those configured on the TACACS server, the user is granted the corresponding privilege level.

So, in your case, if a custom attribute value in the TACACS profile matches the value configured for the user on the TACACS server, then the user would receive the corresponding privilege level when they authenticate with the device. This process allows for fine-grained control over user access and privileges on network devices.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Georg Pauwen
VIP
VIP

‎05-12-2024 10:59 PM

Hello,

what is the context of your question ? Looks like you did not upload the picture you mention in your post...

0 Helpful

Go to solution
CCC3
Level 1
Level 1
In response to Georg Pauwen

‎05-12-2024 11:39 PM

The screenshot was missing.

I've added it.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to CCC3

‎05-13-2024 02:08 AM

Hello,

I am not really sure I understand what you are asking. The custom attributes are additional attributes...the privilege level can be set in the common attributes section. Can you clarify your question ? (if English is not your first language, just post your question in your own language, and we can translate...)

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-12-2024 11:24 PM

Sorry  there is no attachment 

MHM

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎05-13-2024 06:06 AM

Hello @CCC3 

In TACACS+, custom attributes can be defined to carry additional information beyond the standard username and password. These attributes can be used for various purposes, including defining privilege levels for users.

How it  work ?

Custom attributes: These are additional pieces of information sent along with the authentication request. In your case, you're talking about custom attributes in a TACACS profile.

Comparing custom atributes: When a user tries to authenticate with a network device (like a router or switch), the TACACS server checks the custom attributes provided by the client against its configured values.

Privilege Levels: Based on the comparison of these attributes, the TACACS server determines the privilege level the user should have. This privilege level determines what actions the user can perform on the device.

Authorization: Once the user is authenticated, the device checks with the TACACS server to determine what level of access the user should have. If the custom attribute values match those configured on the TACACS server, the user is granted the corresponding privilege level.

So, in your case, if a custom attribute value in the TACACS profile matches the value configured for the user on the TACACS server, then the user would receive the corresponding privilege level when they authenticate with the device. This process allows for fine-grained control over user access and privileges on network devices.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
CCC3
Level 1
Level 1
In response to M02@rt37

‎05-15-2024 08:12 PM

Thank you for your answer.

If there is a specific account of the equipment in the custom attributes value

Is it correct to understand that when logging in with that account on the equipment, ise checks the account with the custom attributes value and gives you certain privileges?

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to CCC3

‎05-16-2024 12:54 AM

You're welvome @CCC3 

When a user logs into a network device authenticated through TACACS+, the TACACS+ server, often integrated with ISE, evaluates the user's credentials and any associated custom attributes. If the user's account has specific custom attributes configured, such as privilege levels or command restrictions, and they match the values set on the device, the server grants corresponding privileges. So, during login, ISE checks the account against these attributes and assigns the appropriate privileges based on the configured policies.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents