<HTML><BODY>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Hello Team,</span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-tab-count:1"> </span>Could you please help us? We are
trying to integrate Cisco ACI with shrubbery TACACS+ (version - tac_plus-4.0.3-2.i386.rpm).
Unfortunately not successfully, our TACAC+ config is as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">host =
EO_devices {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>key = test<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>address = 10.10.10.10<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-tab-count:3"> </span><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">group =
admin_EO_ACI {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>default service = permit<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>service = shell {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-tab-count:2"> </span>set
domains=all/read-all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">user = user
{<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><span style="mso-spacerun:yes"> </span>member = admin_EO_ACI@EO_devices<o:p></o:p></span></p>
<p class="MsoNormal"><br></p>
<p class="MsoNormal" style="text-indent:35.4pt"><span lang="EN-US" style="mso-ansi-language:EN-US"> In the log we see - <i style="mso-bidi-font-style:
normal"><u>authentication.log:2020-10-20 12:09:58 +0300<span style="mso-spacerun:yes"> </span>10.10.10.10: pap login for 'gosho' from 100.100.100.100
on REST failed (denied)</u></i><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-tab-count:1"> </span><span lang="EN-US" style="mso-ansi-language:EN-US">Cisco’s doc - <a href="https://community.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328">https://community.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328</a>
we see that we need to add Unix ID after domains=all… we tried the result was
the sam:<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><br></span></p><p class="MsoNormal">group = admin_EO_ACI {</p><p class="MsoNormal"> default service = permit</p><p class="MsoNormal"> service = shell {</p><p class="MsoNormal"> domains=all/admin/(16005) </p><p class="MsoNormal"> }</p><p class="MsoNormal"><span lang="EN-US"></span></p><p class="MsoNormal">}</p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">BR,</span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Vlad <o:p></o:p></span></p></BODY></HTML>