ACS TACACS Custom Attributes

Unanswered Question
May 28th, 2010

I have users that require multiple custom attributes under the TACACS configuration.  Below are the two that are required, one is for Cisco UCS and the other is for MDS.  My question is what is the format to get both of them to work for the same user?  Individually they work fine, but when both are configured for the same user, the UCS "admin" privilage seems to work, but I'm only able to get "read" for the MDS.  I've had this working before, and can't figure out what the trick was the first time around.  Thanks.

cisco-av-pair*shell:roles*"admin"

shell:roles=“network-admin vsan-admin”

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Sat, 05/29/2010 - 08:01

You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using the same AAA servers.


cisco-av-pair*shell:roles*"network-admin vsan-admin"

Configuring TACACS+: on cisco MDS 9000
http://www.cisco.com/en/US/partner/products/ps5989/products_configuration_guide_chapter09186a008049b8ed.html#wp1244464

If you have this Cisco-av-pair:

cisco-av-pair*shell:roles*"admin" -->  Then it means it's optional, this would be the preferred method.

You can get a list of roles on UCS:
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/gui/CLI_Config_Guide_chapter9.html#concept_E41FB2D2F363406EAC1011CC59B5D4BB


HTH

JK


Do rate helpful posts-

tin.ngo Tue, 08/24/2010 - 06:44

Hi there,

We are looking at seting up UCS on TACACS.

The one question I can't find in the documentation is what happens when TACACS server fail?

One would assume that it would fall back to Local but I can't seem to find this information.

Regards - TN.

Actions

This Discussion