[tac_plus] Integration between TACACS+ and Cisco ACI
john heasley
heas at shrubbery.net
Tue Oct 20 21:27:26 UTC 2020
Tue, Oct 20, 2020 at 12:28:48PM +0300, Vladi_slav Vassilev:
> Could you please help us? We are
> trying to integrate Cisco ACI with shrubbery TACACS+ (version - tac_plus-4.0.3-2.i386.rpm).
> Unfortunately not successfully, our TACAC+ config is as follows:
>
> host =
> EO_devices {
> key = test
> address = 10.10.10.10
> }
>
> group =
> admin_EO_ACI {
> default service = permit
> service = shell {
> set
> domains=all/read-all
> }
> }
>
> user = user
> {
> member = admin_EO_ACI at EO_devices
>
> In the log we see - <i style="mso-bidi-font-style:
> normal"> authentication.log:2020-10-20 12:09:58 +0300
>
> 10.10.10.10: pap login for 'gosho' from 100.100.100.100 on REST failed (denied)
^^^
I suspect that the device is requesting service ppp. perhaps enable debug
logging to collect more info about theservice being requested; -d 16.
> Cisco’s doc - https://community.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328
> we see that we need to add Unix ID after domains=all… we tried the result was
> the sam:
> group = admin_EO_ACI {
> default service = permit
> service = shell {
> domains=all/admin/(16005)
> } }
>
> BR,
>
> Vlad
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20201020/9fdd155b/attachment.htm>
> _______________________________________________
> tac_plus mailing list
> tac_plus at www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list