Command Authorization on ACS

Unanswered Question
Jul 9th, 2007

Hi Guys,

its like I want to have only single user ID (Could be AD account or ACS local account) & want this user account should have level 1 access on some switches,routers & have rights to run specific commands on Core devices,firewall & should have level 15 on access devices.

So I want to use only one user account & want to have different level of Access & specific command authorization through ACS.

please help me on this.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 07/09/2007 - 08:11

Hi ,

The trick here is to give Priv 15 access to the user is question and then deploy command authorization , so that user can only execute some specific commands.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/spc.htm#wp697557

Pix command,

username Test password cisco

username Test privilege 15

aaa-server TACACS protocol tacacs+

aaa-server TACACS (outside) host 10.130.102.191 cisco timeout 10

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL <--------- NEEDED FOR COMMAND AUTHORIZATION ON PIX

Regards,

~JG

Please rate if that helps !

Premdeep Banga Mon, 07/09/2007 - 08:14

Hi Nitin,

If we are looking for something like command authorization.

And a single user should be able to log onto different device, but should have different privilege to command set, using single user account.

Then though this wont be feasible using NAP, as it is only for RADIUS protocol.

First configure command authorization on NAS devices.

Then on ACS configure different Shell Command Authorization Set for different devices, then on the user group, configure the section,

"Assign a Shell Command Authorization Set on a per Network Device Group Basis " where you can use "Device Group" and "Command Set" combination.

And your Single SSID and user authentication is only user authentication, after that what device they access and what level they have, you con control using TACACS and above configuration.

Regards,

Prem

Actions

This Discussion