Solved: Prime tacacs attributes

S M85 · ‎07-15-2013

I'm configuring Prime tacacs+ access. So every login account goes through our ISE deployment for the right authorzation. I got this working for radius but it seems that this configuration doesn't work for tacacs+.

Radius configuration that works

ACCESS_ACCEPT

cisco-av-pair=NCS:role0=Root

cisco-av-pair=NCS:task26=All

cisco-av-pair=NCS:task15=Administration Menu Access

cisco-av-pair=NCS:task52=Help Menu Access

cisco-av-pair=NCS:task67=Services Menu Access

cisco-av-pair=NCS:task89=Monitor Menu Access

cisco-av-pair=NCS:task118=Home Menu Access

cisco-av-pair=NCS:task138=Reports Menu Access

cisco-av-pair=NCS:task141=Tools Menu Access

cisco-av-pair=NCS:task158=Configure Menu Access

cisco-av-pair=NCS:virtual-domain0=ROOT-DOMAIN

I only have to give the authorization profile, access to the 'main menu's' it seems to work with task 26 'all' . However, this configuration doesn't work for tacacs+. I also figure out, that the taks numbers have been switched between the different versions of prime. I can't figure out wich taks numbers are correct. The documentation on this part of the configuration is missing in the official guides. Any help would be appreciated

The goal is to give the user root access in Cisco Prime 1.3, with all levels. But authentication must go through our ISE server deployment, so we can use our own authentication backend (RSA, Active directory)

Christopher Bell · ‎07-15-2013

Actually, the above is incomplete. That will just get you part of what you need. You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups. Chose the type of user you want to assign to your shell profile and click the task list. The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only. Both are needed.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

View solution in original post

Christopher Bell · ‎07-15-2013

Are you looking for the roles that need to be assigned? I'm going to assume the roles will be the same for ISE as they are for ACS. If you navigate to Administration --> Virtual Domain --> and then click "Export" on the top left side you should be able to export the roles needed for TACACS. You will need to do this for each virtual domain.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Christopher Bell · ‎07-15-2013

Actually, the above is incomplete. That will just get you part of what you need. You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups. Chose the type of user you want to assign to your shell profile and click the task list. The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only. Both are needed.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

S M85 · ‎07-16-2013

Hi Christopher,

You're right. I was searching exactly in the wrong place. Like you said in the first post, that was the place I was searching. So for each Prime version changes are made here.