Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3

Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attributes / Shell Profile for ACS 5.3

As titled, currently under Admistration> Users, Roles & AAA > User Groups > Export Task List under Cisco PI 1.3

All the attributes is "=" which is mandatory

Anyway i can make this optional?

Reason being is because i want to use the same TACACS Username for Cisco PI 1.3, IOS and NX-OS devices. NX-OS devices requires shell profiles to be optional.

Thanks.

  • Network Management
Everyone's tags (3)
2 REPLIES
Cisco Employee

Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attribu

Hi Robert:

All are mandatory.  If there were any that were optional, they would have been listed as such.  Wish it was better news.

New Member

Cisco Prime Infrastructure 1.3 - Creating custom TACACS+ Attribu

Robert-

If you create a separate service rule, you can have it fork TACACS authentication requests from that specific IP to a different Service identity and authorization process, where you can tell it to select a specific shell profile.  Then all you have to do is create a separate shell profile for managing Prime and have that one selected.  We do this with our UCS dvices, regular router/switch CLI logins, etc.

So for example:

UCS: TACACS request --> if match service selection rule "from UCS devices", go to UCS admin access policy -->  if match ucs admin identiy reqirements, give UCS admin shell profile

PI: TACACS request --> if match service selection rule "from PI devices", go to PI admin access policy -->  if match PI admin  identiy reqirements (which are same as UCS), give PI admin shell profile

Default: TACACS request --> if match tacacs protocol from our IP range, go to default device admin policy --> if match defaul identy requirements, give default admin shell profile

1136
Views
0
Helpful
2
Replies
This widget could not be displayed.