Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acs 5.4 tacacs authorization asr 9001

Hi

can someone help with tacacs attributes to authoriezed users on cisco asr 9001(ios/xr)

thanks

Yoram

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: acs 5.4 tacacs authorization asr 9001

You need to know the command you try to issue belogns to which task.

Then, you need to know the task is mentioned under which task group.

check this link to see how to perform the above:

https://supportforums.cisco.com/docs/DOC-15944

Then you need to configure the TACACS+ server to return the attribute that puts the task under the user privilege:

see here: http://goo.gl/7YP5zu

I am using the following command in the ACS server under the user group config (we have 4.2 version):

task=rwx:admin,#cisco-support,#root-system

This will the user inherit the read, write and execute access to the task "admin" and will put the user as part of the local (defined locally on the router) "cisco-support" and "root-system" user groups.

NOTE: we have done two things above. inherit the access to the task AND put the user as part of chosen local groups. I am not sure if one can be used without the other.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

acs 5.4 tacacs authorization asr 9001

We do value rating the replies. non-useful replies can be marked with 1 or 2 starts also.

You need to edit hte shell profile and go to the Custom Attributes tab. there you can add the task manually (either using the fields below and press "Add" button. Or you can press the "Bulk edit" button and enter something like:

task=rwx:admin,#cisco-support,#root-system

It will be eventually converted to the format you see below in the screenshot.

NOTE: You need to know what task and what user group your users should be assigned and use that in the text format you add to ACS.

the above attribute is just an example.

HTH

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
11 REPLIES

acs 5.4 tacacs authorization asr 9001

Hi,

what do you exactly need?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

acs 5.4 tacacs authorization asr 9001

Hi Amjad

i want to give users full access to the machine like a local admin users ( all tasks)

at this time when a user log in (via tacacs) and issue the command "sh task" there are no tasks assigned to him.

i tried to configure it via policy element ••à device admin --> shell profile but with no luck.

acs 5.4 tacacs authorization asr 9001

Hi Yoram,

What did you write in the shell profile? any document that you followed?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Re: acs 5.4 tacacs authorization asr 9001

You need to know the command you try to issue belogns to which task.

Then, you need to know the task is mentioned under which task group.

check this link to see how to perform the above:

https://supportforums.cisco.com/docs/DOC-15944

Then you need to configure the TACACS+ server to return the attribute that puts the task under the user privilege:

see here: http://goo.gl/7YP5zu

I am using the following command in the ACS server under the user group config (we have 4.2 version):

task=rwx:admin,#cisco-support,#root-system

This will the user inherit the read, write and execute access to the task "admin" and will put the user as part of the local (defined locally on the router) "cisco-support" and "root-system" user groups.

NOTE: we have done two things above. inherit the access to the task AND put the user as part of chosen local groups. I am not sure if one can be used without the other.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

acs 5.4 tacacs authorization asr 9001

Hi Amjad

i already read that doc

i am using the vmware version acs 5.4

i did not find where to configur that attribute ":task=rwx:admin,#cisco-support,#root-system"

New Member

acs 5.4 tacacs authorization asr 9001

Hi Amjad

Thanks for your help

it was my mistake at the acs side (command sets)

acs 5.4 tacacs authorization asr 9001

Hi Yoram.

Great news. I was writing the reply to you and post it also.
Hope it will be useful to other people as I already included a screenshot.

Regards,

Amjad

P.S: thanks for marking the correct answer.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

Hi,,i have created the task

Hi,,

i have created the task group in ASR9K. 

i have already integrated  ACS 5.4 now i nee to to allow a user only for read access.

i am unable to identify what i need to configure in shell profile of the ACS 5.4

please see the task group below.

taskgroup xxx
 task read acl
 task read bgp
 task read admin
 task read static
 task read monitor
 task read network
 task read interface
 task read inventory
 task read route-map
 task read basic-services

Thanks and Regards

 Faiz Ahmad

 

acs 5.4 tacacs authorization asr 9001

We do value rating the replies. non-useful replies can be marked with 1 or 2 starts also.

You need to edit hte shell profile and go to the Custom Attributes tab. there you can add the task manually (either using the fields below and press "Add" button. Or you can press the "Bulk edit" button and enter something like:

task=rwx:admin,#cisco-support,#root-system

It will be eventually converted to the format you see below in the screenshot.

NOTE: You need to know what task and what user group your users should be assigned and use that in the text format you add to ACS.

the above attribute is just an example.

HTH

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

acs 5.4 tacacs authorization asr 9001

Hi Amjad

many thanks agian

it was more then usefull

acs 5.4 tacacs authorization asr 9001

Thanks Yoman you are most welcome.

Can you share with us what task and what user group you used? if someone faces same your issue it will be useful to them.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
1497
Views
15
Helpful
11
Replies
CreatePlease login to create content