Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MDS9500 - TACACS

I am having issues authentication with network-admin privileges via TACACS on the MDS. I defined the custom av attribute in the tacacs settings on acs as follows:

cisco-av-pair=shell:roles="network-admin"

For some reason it doesn't seem like the AV pair is passing to the MDS and I always am given network-operator privileges.

Any ideas on what I could check?

3 REPLIES
Cisco Employee

Re: MDS9500 - TACACS

Try this AV Pair instead:

cisco-av-pair*shell:roles="network-admin"

Community Member

Re: MDS9500 - TACACS

Still no luck. I do see the following entry in the messages:

Trap (DE)Register at /1.1.1.1 failed. Permission denied or feature disabled.

Could that have anything to do with the MDS not accepting the AV pair?

Cisco Employee

Re: MDS9500 - TACACS

Yes, sounds like you need a little more involvement then this forum offers. So, if you do not have a key between the mds and the tacacs server, go ahead and get a sniffer trace showing a login. Get a debug aaa all at the same time. Depending on who your support is with-->an OSM or Cisco, go ahead and open support case.

407
Views
0
Helpful
3
Replies
CreatePlease to create content