07-15-2013 12:29 AM
I'm configuring Prime tacacs+ access. So every login account goes through our ISE deployment for the right authorzation. I got this working for radius but it seems that this configuration doesn't work for tacacs+.
Radius configuration that works
ACCESS_ACCEPT
cisco-av-pair=NCS:role0=Root
cisco-av-pair=NCS:task26=All
cisco-av-pair=NCS:task15=Administration Menu Access
cisco-av-pair=NCS:task52=Help Menu Access
cisco-av-pair=NCS:task67=Services Menu Access
cisco-av-pair=NCS:task89=Monitor Menu Access
cisco-av-pair=NCS:task118=Home Menu Access
cisco-av-pair=NCS:task138=Reports Menu Access
cisco-av-pair=NCS:task141=Tools Menu Access
cisco-av-pair=NCS:task158=Configure Menu Access
cisco-av-pair=NCS:virtual-domain0=ROOT-DOMAIN
I only have to give the authorization profile, access to the 'main menu's' it seems to work with task 26 'all' . However, this configuration doesn't work for tacacs+. I also figure out, that the taks numbers have been switched between the different versions of prime. I can't figure out wich taks numbers are correct. The documentation on this part of the configuration is missing in the official guides. Any help would be appreciated
The goal is to give the user root access in Cisco Prime 1.3, with all levels. But authentication must go through our ISE server deployment, so we can use our own authentication backend (RSA, Active directory)
Solved! Go to Solution.
07-15-2013 08:10 AM
Actually, the above is incomplete. That will just get you part of what you need. You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups. Chose the type of user you want to assign to your shell profile and click the task list. The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only. Both are needed.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
07-15-2013 07:59 AM
Are you looking for the roles that need to be assigned? I'm going to assume the roles will be the same for ISE as they are for ACS. If you navigate to Administration --> Virtual Domain --> and then click "Export" on the top left side you should be able to export the roles needed for TACACS. You will need to do this for each virtual domain.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
07-15-2013 08:10 AM
Actually, the above is incomplete. That will just get you part of what you need. You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups. Chose the type of user you want to assign to your shell profile and click the task list. The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only. Both are needed.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
07-16-2013 01:14 AM
Hi Christopher,
You're right. I was searching exactly in the wrong place. Like you said in the first post, that was the place I was searching. So for each Prime version changes are made here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide