cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
10
Helpful
5
Replies

Admin access scenario

echelon360
Level 1
Level 1

Guys,

what's the best way to deploy the below-mentioned setup

What's setup on tacacs

-NDGs containing list of AAA devices classfied by country.

I have an administrator that needs to access only 3 of the NDG and be denied access to the rest.

Do i achieve this with

-New group setup restricting TACACS+ and Enable Options to just the 3 NDGs?

-create this new administrator and have him assgined to this new group

Also,am i able to do the following :

-make a user be part of several Groups

-allow a user acces to 1 NDG and several standalone AAA clients that are not part of a group.

5 Replies 5

darpotter
Level 5
Level 5

You have a couple of choices. If this admin belongs to a group and they have similar profiles you could create a group with an IP based NAR allowing access to only the named NDGs.

or, if its a special case you can assign NARs directly to the admin user in question.

User cannot be in several groups. However using NDG->NAR and NDG->DCS mappings you can make users of a group get different authorisations based on the devices being managed, eg NDG1->full access, NDG2->read only

NARs can contain NDGs, NAFs and individual devices.

Darran

Thanks for the notes on this.

I've created two Shell Command authorization Set

-Full Rights

-Read Only

I've assigned a user access to specific NDG with full rights.When i use his credentials to log into another switch that is not part of his NDG allow list,i'm puzzled.

Now i can't get into enable mode (that's the intended purpose) but i can run show ip/trace/ping w/o going to enable mode. It seems that this user has been assigned the Read-only shell command authorization set for all other switches.

Is there a way i can stop this?

Hmm, interesting in theory the default position should always be to deny.

Anyway you could force this. Create a new empty DCS with default cmd = deny.

Add an entry at the bottom of the NDG->DCS mapping table using the special entry, ie --> DENYALL.

If that doesnt fix it... then, um.. I'll eat my hat!

Thanks but i have just one qtn, i'm using the Cisco ACS Appliance(CSACSE-1113-K9). correct me if i'm wrong but is DCS available on that?

Yes, DCSs are available. You might have to switch them on in interface config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: