Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
10
Helpful
5
Replies

Admin access scenario

echelon360
Level 1
Level 1

‎03-05-2007 08:13 PM - edited ‎03-10-2019 03:01 PM

Guys,

what's the best way to deploy the below-mentioned setup

What's setup on tacacs

-NDGs containing list of AAA devices classfied by country.

I have an administrator that needs to access only 3 of the NDG and be denied access to the rest.

Do i achieve this with

-New group setup restricting TACACS+ and Enable Options to just the 3 NDGs?

-create this new administrator and have him assgined to this new group

Also,am i able to do the following :

-make a user be part of several Groups

-allow a user acces to 1 NDG and several standalone AAA clients that are not part of a group.

Labels:
0 Helpful
5 Replies 5

darpotter
Level 5
Level 5

‎03-06-2007 04:18 AM

You have a couple of choices. If this admin belongs to a group and they have similar profiles you could create a group with an IP based NAR allowing access to only the named NDGs.

or, if its a special case you can assign NARs directly to the admin user in question.

User cannot be in several groups. However using NDG->NAR and NDG->DCS mappings you can make users of a group get different authorisations based on the devices being managed, eg NDG1->full access, NDG2->read only

NARs can contain NDGs, NAFs and individual devices.

Darran

echelon360
Level 1
Level 1
In response to darpotter

‎03-08-2007 12:23 AM

Thanks for the notes on this.

I've created two Shell Command authorization Set

-Full Rights

-Read Only

I've assigned a user access to specific NDG with full rights.When i use his credentials to log into another switch that is not part of his NDG allow list,i'm puzzled.

Now i can't get into enable mode (that's the intended purpose) but i can run show ip/trace/ping w/o going to enable mode. It seems that this user has been assigned the Read-only shell command authorization set for all other switches.

Is there a way i can stop this?

0 Helpful

darpotter
Level 5
Level 5
In response to echelon360

‎03-08-2007 04:03 AM

Hmm, interesting in theory the default position should always be to deny.

Anyway you could force this. Create a new empty DCS with default cmd = deny.

Add an entry at the bottom of the NDG->DCS mapping table using the special entry, ie --> DENYALL.

If that doesnt fix it... then, um.. I'll eat my hat!

0 Helpful

echelon360
Level 1
Level 1
In response to darpotter

‎03-08-2007 04:23 AM

Thanks but i have just one qtn, i'm using the Cisco ACS Appliance(CSACSE-1113-K9). correct me if i'm wrong but is DCS available on that?

0 Helpful

darpotter
Level 5
Level 5
In response to echelon360

‎03-08-2007 07:17 AM

Yes, DCSs are available. You might have to switch them on in interface config.

0 Helpful
Customers Also Viewed These Support Documents