Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring NCS and ACS 5.0 with AD and tacacs+

Unanswered Question
Jun 19th, 2012
User Badges:

Hi All

I am trying to get the ACS 5.3 to work with NCS but cannot make it work correctly.

I have looked at this link -


But this does not show how the ACS referencing AD groups would work when determining

which   custom attributes to use.

On the ACS 5.3 i have set up the following -

The ad is working and in        Users and identity stores/External identity stores/Active Directory then my AD test works fine.

I have set up the  Users and Identity stores/Identity Groups with appropriate ip s.

I have configured the Network Device Groups/Network Devices and AAA Clients with the ip address and Authenication optionsA

In Policy Elements/Authorisation and Permissions/device administration/shell profiles

I have creeated a shell  profile called network shell pro

which das a common tasks of def priv = 0 and max priv = 15

Custom attributes of the following -

role0     Mandatory         Admin

task7    Mandatory         Administration Menu Access

task69   Mandatory        Home menu access

virtual-domain1   Mandatory  CRUK

task80    Mandatory      License Check

virtual-domain0    Mandatory   ROOT-DOMAIN

IN Access Policies/Access services/Default Device Admin

i have identity and Authorisation ticked -

identity = AD1

Authorisation =

name      AD1:External groups          Compound Condition   NDG:Device Type                          NDG:Location time/date identity group shell profile

Rule-1      ANY                                AD Group                   In all device types:Cisco Prime     Any                   any        any               network shell pro

Now i can get into the NCS but i do not see any of the administration buttons on NCS - so

this means the custom attributes are not working.

Any ideas on why this is not working - i shouldnt need a user for this on the ACS as its using AD !!!

Thanks in Advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Tue, 06/19/2012 - 07:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless


For root access via tacacs, there are 100+ attributes you need to enter for the shell profile. You can get that list from the WCS/NCS. Seems like tacacs is working, you just need to define more roles.


Sent from Cisco Technical Support iPhone App


This Discussion

Related Content



Trending Topics - Security & Network