Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
8
Replies

ACS 3.3 - User is assigned more that one group

rccw
Level 1
Level 1

‎10-03-2007 10:55 PM - edited ‎03-10-2019 03:25 PM

I am using ACS 3.3 and would like to assign a privilege to someone who have full right for switch and read-only for router. However, ACS only allow assigned single group in user setup. How can I configure for meet this requirement?

Thank You.

Ray

Labels:
0 Helpful
8 Replies 8

sahmedshahcsd
Level 1
Level 1

‎10-04-2007 02:44 AM

Hi,

You may categorize network devices (AAA Clients) in two NDG's such as Switches and Routers and set different authroization levels based on NDG's

Regards,

Ahmed

0 Helpful

rccw
Level 1
Level 1
In response to sahmedshahcsd

‎10-04-2007 06:57 PM

Hi Ahmed,

Some staffs need a full right for all network devices, but I cannot add a same device into the other NDG. It said that IP is conflict with other NDG.

BR

Ray

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎10-04-2007 05:38 AM

Ray,

If you have configured command authorization then you can use option

"Assign a Shell Command Authorization Set on a per Network Device Group Basis "

Or

"Define max Privilege on a per network device group basis"

These option are in group set up. However if you don't see it then go to interface configuration----> Tacacs---->Enable advance tacacs options.

Regards,

~JG

0 Helpful

rccw
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-04-2007 06:49 PM

JG,

I have not found "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option in group setup. Do I need to enable something for activate it?

Thank you.

Ray

0 Helpful

darpotter
Level 5
Level 5
In response to rccw

‎10-04-2007 10:35 PM

You need to switch the feature on under interface config... On the TACACS+ sub page enable the shell service.

In group setup you should then see the shell command device command authorisation section. You probably need to have some NDGs setup too.

Its also best to define the shell device command sets (under shared profile components) first. That way when you edit a group all you need to is choose which NDGs are assigned a particular DCS.

0 Helpful

rccw
Level 1
Level 1
In response to darpotter

‎10-07-2007 06:33 PM

Hi,

I saw a "Shell Command Authorization" section, but there only have 3 options which are:

1. None

2. Assign a Shell Command Authorization Set for any network device

3. Per Group Command Authorization

There have not "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option.

Do I missing anything?

Thank you.

Ray

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to rccw

‎10-08-2007 05:26 AM

Make sure you go to interface configuration----> Tacacs---->Enable advance tacacs options.

go to interface configuration----> Advanced option ----> Check all related to NAR--->restrt acs services.

It should be there

~JG

0 Helpful

rccw
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-21-2007 05:09 PM

Hi JG

Thank you very much. I found it.

Ray

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents