Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS Custom Attributes

I am trying to configure a user to authenticate using a Cisco ACS v4.1. The user will require access to a Cisco ACE module using a specific role and domain. In order to do this I need to add the following to the TACACS custom attribuets: "shell:development=Server-Maintenance dba". The user also should be able to authenticate and access routers and switches at privilege level 15.

If I leave the custom attributes out, the user can access the router/switches, but not the ACE. If I add the custom attributes in, the user can access the ACE but not the routers/switches.

What do I need to do to be able to access both with the same account??

New Member

Re: TACACS Custom Attributes

Unfortunately that solution does not work for me. On some of the IOS devices I get logged in at privilege level 0 and can then change to level 15. On other IOS devices I get an "authorization failed" message and then the session closes. Without the ACE attributes set both systems log me in with privilege level 15.

The TACACS configuration appears to be identical on both systems.

Any ideas??

New Member

Re: TACACS Custom Attributes

I found the solution to the problem. The custom attributes for the ACE must be configured as optional (using *) rather than mandatory (using =). Therefore, this will work:

shell:development*Admin default-domain

But this will not:

shell:development=Admin default-domain