Solved: Prime Infrastructure to CSACS 5.3, TACACS AV Values?

nellson · ‎09-25-2012

I am scanning the documentation for CPI 1.2, trying to get it to use CSACS 5.3 for my authentication/Authorization. The docs say to create a TACACS Shell Profile, and add the TACACS A/V Pairs as needed... um... nowhere could I find a listing of AV Pairs I can use to grant authorization. I did see that what ever pairs I did use, I must keep the menu chain in tact.. that makes sense.

Anyone got a list somewhere of how they are formatted? Or a document I can use?

Nick

alex.dersch · ‎09-26-2012

Hey Nick,

in the PI 1.2 go to Administration > Users, Roles & AAA > User Groups choose a User Group and click export task list.

those are the custom attributes you have to add to your ACS. be aware you have to add them one by one, there is no import function. Also those attributes are changing sometimes after upgrading Prime Infrastructure.

regards

alex

View solution in original post

alex.dersch · ‎09-26-2012

Hey Nick,

in the PI 1.2 go to Administration > Users, Roles & AAA > User Groups choose a User Group and click export task list.

those are the custom attributes you have to add to your ACS. be aware you have to add them one by one, there is no import function. Also those attributes are changing sometimes after upgrading Prime Infrastructure.

regards

alex

nellson · ‎09-26-2012

Oh dear gosh.... I added:

role0=Root

virtual-domain0=ROOT-DOMAIN

task0=All (Cause that was in the list for the ROOT group)

And while I now get logged in, I don't have permissions to even display the Monitor Summary page...

Please, someone tell me that I do not have to enter ALL of the AV Pairs one at a time (thank you CSACS 5.x )

What is the point of having the role "ROOT" if you have restrictions???

Nick

alex.dersch · ‎09-26-2012

You'll have to add all those attributes.

nellson · ‎09-26-2012

task46=...

task47=...

(submit, reopen)

task48=...

To Cisco CSACS team: This is progress????

task48=...

(oh frick!, click, edit, task49, replace..)

STEFFEN NEUSER · ‎10-16-2014

is the need for adding the attributes one-by-one with submit, reopen after every attribute in ACS4 as well?

Is there also a commandline tool in ACS4 to can import the 172 admin attributes at once?

General question:

Is it possible to implement more than one prime infrastructure role (User Group) at ACS so that Network admins, Network Operators, Report Creators, PI Admins ... can be maintained on ACS?

Steffen

it-ess · ‎02-09-2017

Hi,

We changed our pick from group admin to group root to obtain the task list as I brought here and it fixed the issue on PI 3.1 and ACS 5.8.1.4

*PLUS virtual-domain0=ROOT-DOMAIN

role0=Root
task0=Mesh Reports
task1=Discovery Schedule Privilege
task2=Saved Reports List
task3=Monitor Menu Access
task4=Device WorkCenter
task5=Inventory Menu Access
task6=Add Device Access
task7=Config Audit Dashboard
task8=Custom NetFlow Reports
task9=Apic Controller Read Access
task10=Configuration Templates Read Access
task11=Alarm Policies Edit Access
task12=High Availability Configuration
task13=View Job
task14=Incidents Alarms Events Access
task15=TAC Case Management Tool
task16=Configure Autonomous Access Point Templates
task17=Import Policy Update
task18=PnP Profile Read-Write Access
task19=SSO Server AAA Mode
task20=Alarm Browser Access
task21=Client Location
task22=Configure WIPS Profiles
task23=Swim Distribution
task24=System Settings
task25=Appliance
task26=Credential Profile Add_Edit Access
task27=Users and Groups
task28=Edit Device Access
task29=Monitor Ethernet Switches
task30=Remove Clients
task31=Unsanitized Device Config Export
task32=Monitor Mobility Devices
task33=Auto Provisioning
task34=View Compute Devices
task35=Configure Third Party Controllers and Access Point
task36=Monitor Chokepoints
task37=Application Server Management Access
task38=Home Menu Access
task39=Run Reports List
task40=Configure Config Groups
task41=Performance Dashboard Access
task42=Apic Global PnP Read Access
task43=Swim Upgrade Analysis
task44=Swim Activation
task45=View Alerts and Events
task46=Swim Collection
task47=License Check
task48=Configure Templates
task49=Monitor Security
task50=Service Health Access
task51=Site Visibility Access
task52=Device View configuration Access
task53=Approve Job
task54=Discovery CRUD Privilege
task55=RADIUS Servers
task56=Monitor Spectrum Experts
task57=Email Notification
task58=Alarm Stat Panel Access
task59=System Jobs Tab Access
task60=Apic Global PnP Write Access
task61=Maps Read Write
task62=Administrative privileges under Manage and Monitor Servers page
task63=Export Groups
task64=Monitor Tags
task65=Maps Menu Access
task66=System Monitoring Dashboard
task67=Monitor Interferers
task68=Device Bulk Import Access
task69=View Audit Logs Access
task70=Configure Guest Users
task71=Configure Menu Access
task72=Configure Controllers
task73=Configure Switch Location Configuration Templates
task74=Mobility Service Management
task75=WIPS Service
task76=Configure Mobility Devices
task77=Swim Info Update
task78=Help Menu Access
task79=Scheduled Tasks and Data Collection
task80=Monitoring Policies
task81=Pick and Unpick Alerts
task82=Rogue Location
task83=Delete Device Access
task84=Search Access
task85=Swim Recommondation
task86=Track Clients
task87=Voice Audit Report
task88=AHC Root Only
task89=SSO Servers
task90=All
task91=Delete and Clear Alerts
task92=Pause Job
task93=Admin Dashboard Access
task94=Network Topology Edit
task95=Configure ACS View Servers
task96=Application and Services Access
task97=Edit Job
task98=Device Reports
task99=Logging
task100=Configure ISE Servers
task101=CleanAir Reports
task102=Compliance Audit PAS Access
task103=Raw NetFlow Reports
task104=Credential Profile View Access
task105=View CAS Notifications Only
task106=Delete Group Members
task107=Custom Trap Event
task108=System Monitoring Reports
task109=Audit Trails
task110=Compliance Audit Fix Access
task111=Custom Syslog Event
task112=Ack and Unack Security Index Issues
task113=Configure Access Points
task114=Maps Read Only
task115=Cancel Job
task116=TrustSec Readiness Assessment
task117=Delete Groups
task118=Automated Feedback
task119=Scheduled Configuration Tasks
task120=Voice Diagnostics
task121=Product Feedback
task122=View Alert Condition
task123=Configure Ethernet Switches
task124=PfR Monitoring Access
task125=Performance Reports
task126=Manage and Monitor Servers Page Access
task127=PnP Preferences Read-Write Access
task128=Device Detail UDF
task129=Delete Job
task130=Schedule Job
task131=Configure Spectrum Experts
task132=Add Group Members
task133=Lync Monitoring Access
task134=Network Summary Reports
task135=Reports Menu Access
task136=Design Configuration Template Access
task137=Import Groups
task138=Custom Composite Report
task139=Security Reports
task140=Identify Unknown Users
task141=Tools Menu Access
task142=Design Endpoint Site Association Access
task143=Export Audit Logs Access
task144=Alarm Policies
task145=Health Monitor Details
task146=Guest Reports
task147=Apic Controller Write Access
task148=Credential Profile Delete Access
task149=Compliance Reports
task150=Services Menu Access
task151=Compliance Audit Profile Access
task152=Discovery View Privilege
task153=Device Config Backup Job Edit Access
task154=Planning Mode
task155=Export Device Access
task156=Virtual Elements Tab Access
task157=Config Archive Read-Write Task
task158=Modify Groups
task159=Configure Lightweight Access Point Templates
task160=Monitor Access Points
task161=User Preferences
task162=Monitor Clients
task163=License Center/Smart License
task164=Disable Clients
task165=Monitor WiFi TDOA Receivers
task166=Ack and Unack Alerts
task167=Diagnostic Information
task168=Deploy Configuring Access
task169=Data Collection Management Access
task170=Identity Search Engine
task171=Report Launch Pad
task172=Report Run History
task173=Configure Choke Points
task174=Administration Menu Access
task175=Context Aware Reports
task176=Allow report/dashlet use for users with only NBI Read access
task177=Global SSID Groups
task178=Configure WiFi TDOA Receivers
task179=Swim Preference Save
task180=RRM Dashboard
task181=Client Reports
task182=Autonomous AP Reports
task183=PnP Deploy History Read-Write Access
task184=Global Variable Access
task185=Configure Ethernet Switch Ports
task186=PnP Profile Deploy Read-Write Access
task187=Wireless Dashboard Access
task188=Add Groups
task189=WorkflowsReadWriteAccess
task190=Migration Templates
task191=Run Job
task192=Virtual Domains List
task193=Packet Capture Access
task194=TACACS+ Servers
task195=Swim Access Privilege
task196=Monitor Controllers
task197=Troubleshoot
task198=Swim Delete
task199=Monitor Media Streams
task200=Compliance Audit Policy Access
task201=View Security Index Issues
task202=Virtual Domain Management
task203=Manage Protocol
task204=Add Software Image Management Servers
task205=Network Topology
task206=MSAP Reports

yenaungoo · ‎06-29-2014

I also facing the same symtom with Prime Infrastructure 2.0 and ACS 5.5.

Already added all attributes & virtual domain manually but still cannot login with TACACS user account.

In ACS, I get authentication successful logs. Can anyone suggest for these versions?

Thanks,

nellson · ‎09-26-2012

Oh good grief... Thank you, Alex!!

(smh) how did I miss this...

magnus.jagevall · ‎10-04-2012

If you patch your ACS to latest patch (5-3-0-40-6) there is an option of "Bulk edit" in Shell profile->Profile name->Custom Attributes.

Just paste all of the tasks gotten from the PI1.2...works just fine

//Magnus

ds6123 · ‎05-02-2014

I'm running into the same problem and I can't see the images in the solution.

I'm trying to get PI 2.1 to authenticate to ACS 5.5. I configured the shell profile to what I believe should work with all of the custom attributes and I get a successful ACS log, but PI still shows me the error when I try to login to PI:

"No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"

In ACS, I get authentication successful logs with the big list of attributes being returned back to PI.

I tried moving the virtual-domain0=ROOT-DOMAIN to the bottom and the top, but I get the same error when I try to login to PI.

Can anybody clarify the config required in ACS 5 for this to work?

BTW, the PI 2.1 config guide is horrible. To create the appropriate shell profile in ACS it says "Enter the required information, then click Submit". HA HA HA, Cisco!!! Thanks for the detailed info!!!

Here is what I attempted to do in ACS:

ds6123 · ‎05-06-2014

Not sure if doing things in my mac broke things because of the different "new line" characters or what. But I redid everything on a Windows box (and made sure the virtual-domain0 line existed... I put it at the end) and things work fine now.

wfhazard76 · ‎07-23-2014

Thanks ds6123@sbc.com - that was exactly the issue. I recently upgraded to PI 2.1 and am running ACS 5.4. I was having the same issue "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". Here is a summary of how I got this to work with minimal effort.

1. In PI goto Administration -> AAA -> User Groups. Click on the Task List of the role you want to add to ACS.

2. Copy all the TACACS+ Custom Attributes to Notepad.

3. Follow the guide for adding NCS to ACS. This link provides the basic steps:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system-54/116358-configure-product-00.html

4. When you get to the part where you create the NCS Shell Profile click Bulk Edit and paste all the custom attributes you copied in step 2.

5. Before clicking save add the final attribute virtual-domain0=ROOT-DOMAIN (assuming ROOT-DOMAIN is correct).

tobiasdreyer · ‎01-11-2016

Hi all,

I tried all steps mentioned above to get TACACS working with PI 3.0 and ACS 5.5, but get still the message:

"No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"

I added

role0=Admin

task0-189=...

and

virtual-domain0=ROOT-DOMAIN

In the ACS Log I can see, that the correct Shell profile is used:

Selected Shell Profile:Prime Infrastructure

Has anyone an idea whats wrong here?

Thanks

thomas_irick · ‎08-05-2016

I finally figured this out... with very simplistic settings.

If you are simply trying to create Full-Admin level access for accounts using TACACS+, and are getting a "No Authorization Information Found" error... and ACS is showing your account as passing authentication... the problem is the shell profile.

For easy "Allow All" admin access... try adding these custom attributes.

I copied the "tasks list" from the Admin Group profile in Prime, and then amended task0 = ALL, instead of "View Alerts and Events"

(not sure why this information isn't more readily available from Cisco?)

Example of my Shell Profile Configuration, no common tasks defined,

role0=Admin
task0=ALL
task1=Run Job
task2=Device Reports
task3=RADIUS Servers
task4=Raw NetFlow Reports
task5=Credential Profile Delete Access
task6=Network Summary Reports
task7=Edit Audit Logs Purge Settings Access
task8=Discovery View Privilege
task9=Configure ACS View Servers
task10=Run Reports List
task11=View Audit Logs Purge Settings Access
task12=View CAS Notifications Only
task13=Administration Menu Access
task14=Monitor Clients
task15=Configure Guest Users
task16=Monitor Media Streams
task17=Configure Lightweight Access Point Templates
task18=Config Archive Read Task
task19=Monitor Chokepoints
task20=Maps Read Write
task21=Configure Access Points
task22=Virtual Domains List
task23=View Compute Devices
task24=Users and Groups
task25=View Group Members
task26=Monitor Third Party Controllers and Access Point
task27=Edit Device Access
task28=Saved Reports List
task29=Migration Templates
task30=Monitor Spectrum Experts
task31=Configure Autonomous Access Point Templates
task32=Audit Trails
task33=Swim Collection
task34=Device WorkCenter
task35=Client Location
task36=Delete Device Access
task37=TrustSec Readiness Assessment
task38=PnP Profile Deploy Read-Write Access
task39=Monitor Access Points
task40=Data Collection Management Access
task41=CleanAir Reports
task42=Configure Ethernet Switches
task43=Configure Ethernet Switch Ports
task44=TACACS+ Servers
task45=Edit Job
task46=Mobility Service Management
task47=Autonomous AP Reports
task48=Swim Upgrade Analysis
task49=Delete Groups
task50=Performance Reports
task51=Configure Controllers
task52=Help Menu Access
task53=Packet Capture Access
task54=Product Feedback
task55=Credential Profile Add_Edit Access
task56=MSAP Reports
task57=Scheduled Tasks and Data Collection
task58=Monitor Tags
task59=Details Dashboard Access
task60=Search Access
task61=Scheduled Configuration Tasks
task62=View Groups
task63=Configure WIPS Profiles
task64=Delete Job
task65=Network Topology
task66=Client Reports
task67=Troubleshoot
task68=Services Menu Access
task69=Lobby Ambassador User Preferences
task70=Configure Templates
task71=System Jobs Tab Access
task72=System Settings
task73=nbiPrivatePrivilege
task74=Report Launch Pad
task75=Remove Clients
task76=Performance Dashboard Access
task77=Configure Config Groups
task78=Application and Services Access
task79=Inventory Menu Access
task80=Export Device Access
task81=Mesh Reports
task82=Swim Info Update
task83=High Availability Configuration
task84=License Center
task85=View Audit Logs Access
task86=Lobby Ambassador Defaults Configuration
task87=Design Monitoring Template Access
task88=Add Group Members
task89=Manage and Monitor Servers Page Access
task90=Monitor Controllers
task91=Deploy Configuring Access
task92=View Job
task93=Monitor Security
task94=Track Clients
task95=Monitor Menu Access
task96=Software Updates UBF Upload
task97=Export Audit Logs Access
task98=Design Configuration Template Access
task99=Schedule Job
task100=PnP Preferences Read Access
task101=SSO Servers
task102=Monitor Interferers
task103=Configure Switch Location Configuration Templates
task104=Configure WiFi TDOA Receivers
task105=Add Groups
task106=Cancel Job
task107=Swim Distribution
task108=Maps Menu Access
task109=PnP Preferences Read-Write Access
task110=Discovery CRUD Privilege
task111=Voice Audit Report
task112=Admin Dashboard Access
task113=PnP Deploy History Read-Write Access
task114=Global SSID Groups
task115=Credential Profile View Access
task116=Modify Groups
task117=Report Run History
task118=Maps Read Only
task119=Compliance Reports
task120=Disable Clients
task121=Wireless Dashboard Access
task122=Custom NetFlow Reports
task123=PnP Profile Deploy Read Access
task124=WIPS Service
task125=Security Reports
task126=Application Server Management Access
task127=Configure Spectrum Experts
task128=Appliance
task129=Monitoring Policies
task130=View Security Index Issues
task131=Swim Access Privilege
task132=Configure Mobility Devices
task133=Device Bulk Import Access
task134=Home Menu Access
task135=Health Monitor Details
task136=Monitor WiFi TDOA Receivers
task137=Add Device Access
task138=Approve Job
task139=View Alert Condition
task140=User Preferences
task141=Guest Reports
task142=Config Archive Read-Write Task
task143=Logging
task144=Configuration Templates Read Access
task145=Device View configuration Access
task146=Swim Preference Save
task147=Automated Feedback
task148=Delete and Clear Alerts
task149=Identity Search Engine
task150=Workflows Read-Write Access
task151=Configure Third Party Controllers and Access Point
task152=Email Notification
task153=License Check
task154=SSO Server AAA Mode
task155=Rogue Location
task156=Swim Recommondation
task157=Identify Unknown Users
task158=Delete Group Members
task159=Reports Menu Access
task160=PnP Profile Read-Write Access
task161=Configure ISE Servers
task162=Tools Menu Access
task163=Config Audit Dashboard
task164=Incidents Alarms Events Access
task165=Virtual Domain Management
task166=Monitor Ethernet Switches
task167=TAC Case Management Tool
task168=Pause Job
task169=Discovery Schedule Privilege
task170=Monitor Mobility Devices
task171=Context Aware Reports
task172=Voice Diagnostics
task173=Configure Choke Points
task174=MSE Analytics
task175=RRM Dashboard
task176=PnP Deploy History Read Access
task177=Swim Delete
task178=Theme Changer Access
task179=Import Policy Update
task180=Design Endpoint Site Association Access
task181=PnP Profile Read Access
task182=Planning Mode
task183=Pick and Unpick Alerts
task184=Configure Menu Access
task185=Ack and Unack Security Index Issues
task186=Deploy Monitoring Template Access
task187=Ack and Unack Alerts
task188=Auto Provisioning
virtual-domain0=ROOT-DOMAIN

(punctuation and capitilization is key... and these settings assume that your Prime appliance is using the default virtual domain configuration)

Obviously, if you are trying to "fine-tune" user level access, you will need to amend the tasks using the templates associated with each user group.