Adding a user role for SAN switches

Answered Question
Aug 23rd, 2007
User Badges:

I am trying to find the correct location in ACS 3.3 to add the following: roles="network-admin". We have our SAN switches using Tacacs+. When a user other than admin logins, you get the role as "network-operator". This doc Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x explains the role if you are using IOS/PIX Radius. Thank you.

Correct Answer by Jagdeep Gambhir about 9 years 11 months ago

Hi Ed,

Here is the link,


http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/san-os/configuration/guide/cradtac.html



If you search for:


TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various

services (for example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom

attribute for the service shell to be used for defining roles.


Cisco ACS TACACS+


shell:roles="network-admin"

shell:roles*"network-admin"

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"


On the ACS, if you go to: Interface configuration, TACACS+ (Cisco IOS), place a check nex to: " Display a window for each service selected in which you can enter customized TACACS+ attributes".


Then go into Group Setup and define the role information according to the above attributes.


Hope that helps


Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Thu, 08/23/2007 - 07:57
User Badges:
  • Red, 2250 points or more

Hi Ed,

Here is the link,


http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/san-os/configuration/guide/cradtac.html



If you search for:


TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various

services (for example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom

attribute for the service shell to be used for defining roles.


Cisco ACS TACACS+


shell:roles="network-admin"

shell:roles*"network-admin"

cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles*"network-admin"

cisco-av-pair=shell:roles*"network-admin"


On the ACS, if you go to: Interface configuration, TACACS+ (Cisco IOS), place a check nex to: " Display a window for each service selected in which you can enter customized TACACS+ attributes".


Then go into Group Setup and define the role information according to the above attributes.


Hope that helps


Regards,

~JG

Jagdeep Gambhir Thu, 08/23/2007 - 09:01
User Badges:
  • Red, 2250 points or more

Ed,

Nice to know that. Please mark it resolved so other can benifit from it.

Actions

This Discussion