10-03-2007 10:55 PM - edited 03-10-2019 03:25 PM
I am using ACS 3.3 and would like to assign a privilege to someone who have full right for switch and read-only for router. However, ACS only allow assigned single group in user setup. How can I configure for meet this requirement?
Thank You.
Ray
10-04-2007 02:44 AM
Hi,
You may categorize network devices (AAA Clients) in two NDG's such as Switches and Routers and set different authroization levels based on NDG's
Regards,
Ahmed
10-04-2007 06:57 PM
Hi Ahmed,
Some staffs need a full right for all network devices, but I cannot add a same device into the other NDG. It said that IP is conflict with other NDG.
BR
Ray
10-04-2007 05:38 AM
Ray,
If you have configured command authorization then you can use option
"Assign a Shell Command Authorization Set on a per Network Device Group Basis "
Or
"Define max Privilege on a per network device group basis"
These option are in group set up. However if you don't see it then go to interface configuration----> Tacacs---->Enable advance tacacs options.
Regards,
~JG
10-04-2007 06:49 PM
JG,
I have not found "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option in group setup. Do I need to enable something for activate it?
Thank you.
Ray
10-04-2007 10:35 PM
You need to switch the feature on under interface config... On the TACACS+ sub page enable the shell service.
In group setup you should then see the shell command device command authorisation section. You probably need to have some NDGs setup too.
Its also best to define the shell device command sets (under shared profile components) first. That way when you edit a group all you need to is choose which NDGs are assigned a particular DCS.
10-07-2007 06:33 PM
Hi,
I saw a "Shell Command Authorization" section, but there only have 3 options which are:
1. None
2. Assign a Shell Command Authorization Set for any network device
3. Per Group Command Authorization
There have not "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option.
Do I missing anything?
Thank you.
Ray
10-08-2007 05:26 AM
Make sure you go to interface configuration----> Tacacs---->Enable advance tacacs options.
go to interface configuration----> Advanced option ----> Check all related to NAR--->restrt acs services.
It should be there
~JG
10-21-2007 05:09 PM
Hi JG
Thank you very much. I found it.
Ray
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: