Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Prime tacacs attributes

I'm configuring Prime tacacs+ access. So every login account goes through our ISE deployment for the right authorzation. I got this working for radius but it seems that this configuration doesn't work for tacacs+.

Radius configuration that works

ACCESS_ACCEPT

cisco-av-pair=NCS:role0=Root

cisco-av-pair=NCS:task26=All

cisco-av-pair=NCS:task15=Administration Menu Access

cisco-av-pair=NCS:task52=Help Menu Access

cisco-av-pair=NCS:task67=Services Menu Access

cisco-av-pair=NCS:task89=Monitor Menu Access

cisco-av-pair=NCS:task118=Home Menu Access

cisco-av-pair=NCS:task138=Reports Menu Access

cisco-av-pair=NCS:task141=Tools Menu Access

cisco-av-pair=NCS:task158=Configure Menu Access

cisco-av-pair=NCS:virtual-domain0=ROOT-DOMAIN

I only have to give the authorization profile, access to the 'main menu's' it seems to work with task 26 'all' . However, this configuration doesn't work for tacacs+. I also figure out, that the taks numbers have been switched between the different versions of prime. I can't figure out wich taks numbers are correct. The documentation on this part of the configuration is missing in the official guides. Any help would be appreciated

The goal is to give the user root access in Cisco Prime 1.3, with all levels. But authentication must go through our ISE server deployment, so we can use our own authentication backend (RSA, Active directory)

  • Network Management
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Prime tacacs attributes

Actually, the above is incomplete.  That will just get you part of what you need.  You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups.  Chose the type of user you want to assign to your shell profile and click the task list.  The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only.  Both are needed.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
3 REPLIES

Prime tacacs attributes

Are you looking for the roles that need to be assigned?  I'm going to assume the roles will be the same for ISE as they are for ACS.  If you navigate to Administration --> Virtual Domain --> and then click "Export" on the top left side you should be able to export the roles needed for TACACS.  You will need to do this for each virtual domain.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Re: Prime tacacs attributes

Actually, the above is incomplete.  That will just get you part of what you need.  You also need to navigate to Administration --> Users, Roles & AAA, --> User Groups.  Chose the type of user you want to assign to your shell profile and click the task list.  The task list will include all the roles you need. The first post will be needed to assign the virtual domain to the user only.  Both are needed.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
New Member

Re: Prime tacacs attributes

Hi Christopher,

You're right. I was searching exactly in the wrong place. Like you said in the first post, that was the place I was searching. So for each Prime version changes are made here.

1021
Views
8
Helpful
3
Replies