Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13084
Views
8
Helpful
0
Comments

ISE Device Administration Attributes

thomas
Cisco Employee
Cisco Employee

‎07-13-2016 10:14 AM - edited ‎01-22-2024 08:56 AM

image.png

 

 

These attributes are used with Device Administration / TACACS+ and are found as dictionaries and attributes in the Cisco Identity Services Engine (ISE) Conditions Studio when configuring a Device Administration Policy Set :
Screenshot 2024-01-17 at 7.30.59 AM.png

These dictionaries and attributes are also listed in the ISE Dictionaries (Policy > Policy Elements > Dictionaries) under TACACS. You may select an attribute and view it's Allowed Values:
Screenshot 2024-01-17 at 7.45.25 AM.png

 

Attribute Values ISE
Version		 Usage Description

Device

      
Device Type   2.x  
IPSEC   2.x  
Location   2.x  
Model Name   2.x  
Network Device Profile   2.x  
Software Version   2.x  

IdentityGroup

      
Description   2.x  
Name   2.x  

InternalUser

      
Description   2.x  
EnableFlag   2.x  
Firstname   2.x  
IdentityGroup   2.x  
Lastname   2.x  
Name   2.x  
OPC   ?  
SubscriberKey   ?  
UserType   2.x  

Network Access

      
AD-Host-DNS-Domain   2.x  
AD-Host-Join-Point   2.x  
AD-User-DNS-Domain   2.x  
AD-User-Join-Point   2.x  
AuthenticationIdentityStore   2.x  
AuthenticationMethod   2.x  
AuthenticationStatus   2.x  
Device IP Address   2.x  
EapAuthentication   2.x  
EapChainingResult   2.x  
EapTunnel   2.x  
GroupsOrAttributesProcessFailure   2.x  
ISE Host Name   2.x  
MachineAuthenticationIdentityStore   2.x  
NetworkDeviceName   2.x  
Protocol   2.x  
RADIUS Server   2.x  
RADIUS Server Sequence   2.x  
SessionLimitExceeded   2.x  
UseCase   2.x  
UserName   2.x  
VN   ?  
WasMachineAuthenticated   2.x  

TACACS

     These were taken from RFC-8907, The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol
Action   2.x action
This indicates the authentication action.
TAC_PLUS_AUTHEN_LOGIN := 0x01
TAC_PLUS_AUTHEN_CHPASS := 0x02
TAC_PLUS_AUTHEN_SENDAUTH := 0x04
Authen-Method   2.x  
Authen-Type   2.x  
AVPair   2.x  
Header-Flags   2.x flags
This field contains various bitmapped flags.
MajorVersion   2.x major_version
This is the major TACACS+ version number.
TAC_PLUS_MAJOR_VER := 0xc
MinorVersion   2.x minor_version
This is the minor TACACS+ version number.
TAC_PLUS_MINOR_VER_DEFAULT := 0x0
TAC_PLUS_MINOR_VER_ONE := 0x1
Port   2.x  
Privilege-Level   2.x priv-lvl (Numeric)
The privilege level to be assigned.
TAC_PLUS_PRIV_LVL_MIN := 0x00. The level normally allocated to an unauthenticated session.
TAC_PLUS_PRIV_LVL_USER := 0x01. The level normally allocated to a regular authenticated session.
TAC_PLUS_PRIV_LVL_ROOT := 0x0f. The level normally allocated to a session authenticated by a highly privileged user to allow commands with significant system impact.
TAC_PLUS_PRIV_LVL_MAX := 0x0f. The highest privilege level.
Protocol-Argument   2.x  
RealAction   2.x Same as Action
Remote-Address   2.x  
Sequence-Number   2.x seq_no
This is the sequence number of the current packet. The first
packet in a session MUST have the sequence number 1, and each subsequent packet will increment the sequence number by one. TACACS+ clients only send packets containing odd sequence numbers, and TACACS+ servers only send packets containing even sequence numbers.
Service   2.x authen_service
This is the service that is requesting the authentication.
TAC_PLUS_AUTHEN_SVC_NONE := 0x00
TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01 (default)
TAC_PLUS_AUTHEN_SVC_ENABLE := 0x02
TAC_PLUS_AUTHEN_SVC_PPP := 0x03
TAC_PLUS_AUTHEN_SVC_PT := 0x05
TAC_PLUS_AUTHEN_SVC_RCMD := 0x06
TAC_PLUS_AUTHEN_SVC_X25 := 0x07
TAC_PLUS_AUTHEN_SVC_NASI := 0x08
TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09
Service-Argument   2.x Use the Service-Argument to determine which vendor/product the request is coming from.
Vendor Service-Argument
Avaya ?
Brocade ?
Checkpoint ?
Cisco shell
Juniper junos-exec
Alcatel ?
Altheon ?
F5 F5-LTM-User-Info-1=ADMIN_ROLE
F5-LTM-User-Console=1
F5-LTM-User-Role=0
F5-LTM-User-Partition=all
F5-BIGIQ-User-Info-01=bigiq-admin
Extreme ?
Fortinet admin_prof=super_admin
memberof=Fortinet_Admins
HP ?
Huawei ?
MicroTik ?
Omnivista ?
Palo Alto ?
Riverbed riverbed-roles-list=System Administrator
service=system
SessionId   2.x session_id
The Id for this TACACS+ session. This field does not change for the duration of the TACACS+ session. This number MUST be generated by a cryptographically strong random number generation method. Failure to do so will compromise security of the session. For more details, refer to [RFC4086].
Type   2.x type
This is the packet type.
TAC_PLUS_AUTHEN := 0x01 (Authentication)
TAC_PLUS_AUTHOR := 0x02 (Authorization)
TAC_PLUS_ACCT := 0x03 (Accounting)
User   2.x a user (or entity)

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents