Cisco MDS 9000 Series Configuration Manual page 95

Configuring Security Features on an External AAA Server
Example
You can use the show tacacs-server directed-request command to display the TACACS+ directed
request configuration.
switch# show tacacs-server directed-request
disabled
Defining Roles on the Cisco Secure ACS 5.x GUI
Enter the following in the GUI under Policy Elements:
Table 5: Role Definitions
Attribute
shell:roles
Defining Custom Attributes for Roles
Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure roles to
which a user belongs. TACACS+ attributes are specified inname=value format. The attribute name for this
custom attribute iscisco-av-pair. The following example illustrates how to specify roles using this attribute:
cisco-av-pair=shell:roles="network-admin vsan-admin"
You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using the
same AAA servers.
cisco-av-pair*shell:roles="network-admin vsan-admin"
Additional custom attribute shell:roles are also supported:
shell:roles="network-admin vsan-admin"
OR
shell:roles*"network-admin vsan-admin"
Note TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various services (for
example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom attribute for the service
shell to be used for defining roles.
Supported TACACS+ Server Parameters
The Cisco NX-OS software currently supports the following parameters for the listed TACACS+ servers:
• TACACS+
cisco-av-pair=shell:roles="network-admin"
Requirement Value
Optional network-admin
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Defining Roles on the Cisco Secure ACS 5.x GUI
77