New to TACACS+/Cisco Secure ACS

lmilliken · ‎03-12-2007

I am new to using this product & I have a couple of questions..I have users configured & the groups configured (Admin & ReadOnly)..I'm having difficulty with the syntax on my routers & switches when defining the rights/privileges for the admins & readonly users..Does anyone have a sample config that would help..

thanks,

Vivek Santuka · ‎03-12-2007

Hi,

Looks like your are trying to configure command authorization ie. control what command which user can execute on the device.

There are two ways to do it :-

1. Define the commands which each privilege level has access to on the device locally

2. Control the commands a group of user can enter on which device via ACS.

Let us know which one you are trying to configure and I will give a sample config.

Regards,

Vivek

tsingletary · ‎03-13-2007

Number #2 sounds more like it..Control what access/commands a group can do

Vivek Santuka · ‎03-14-2007

Hi,

For that you need exec authentication and command authorization on the device and shell command authorization set on ACS.

So on the device you would need the following minimum commands :-

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization command 1 default group tacacs+ local

aaa authorization command 15 default group tacacs+ local

tacacs-server host key

On the ACS side, the following link will help :-

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697557

Regards,

Vivek

tsingletary · ‎03-15-2007

That works!

Thanks for your help!