ACS TACACS Custom Attributes

jms112080 · ‎05-28-2010

I have users that require multiple custom attributes under the TACACS configuration. Below are the two that are required, one is for Cisco UCS and the other is for MDS. My question is what is the format to get both of them to work for the same user? Individually they work fine, but when both are configured for the same user, the UCS "admin" privilage seems to work, but I'm only able to get "read" for the MDS. I've had this working before, and can't figure out what the trick was the first time around. Thanks.

cisco-av-pair*shell:roles*"admin"

shell:roles=“network-admin vsan-admin”

Jatin Katyal · ‎05-29-2010

You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using the same AAA servers.

cisco-av-pair*shell:roles*"network-admin vsan-admin"

Configuring TACACS+: on cisco MDS 9000
http://www.cisco.com/en/US/partner/products/ps5989/products_configuration_guide_chapter09186a008049b8ed.html#wp1244464

If you have this Cisco-av-pair:

cisco-av-pair*shell:roles*"admin" --> Then it means it's optional, this would be the preferred method.

You can get a list of roles on UCS:
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/gui/CLI_Config_Guide_chapter9.html#concept_E41FB2D2F363406EAC1011CC59B5D4BB

HTH

JK

Do rate helpful posts-

~Jatin

tin.ngo · ‎08-24-2010

Hi there,

We are looking at seting up UCS on TACACS.

The one question I can't find in the documentation is what happens when TACACS server fail?

One would assume that it would fall back to Local but I can't seem to find this information.

Regards - TN.