AAA policy help

Unanswered Question
Jan 10th, 2008

Hi All

user1 >>>GroupA & user2 >>>GroupB

Router1 >>>NDG-A & Router2 >>>NDG-B

Now,

GroupA user must have "sh run" permission on NDG-A but not on NDG-B.

GroupB user must have "sh run" permission on NDG-B but not on NDG-A.

I created two shell command authorisation set and mapped it to GroupA & GroupB. Then inside the Group, I mapped the Shell command set to NDG. Here I have two associations.

(**I have tested with single association and its working. But not not with two)

But somehow its not working.

Please help.

Regards

Bharat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jagdeep Gambhir Thu, 01/10/2008 - 06:20

Bharat,

You need to set up Assign a Shell Command Authorization Set on a per Network Device Group Basis

In GroupA---> Assign a Shell Command Authorization Set on a per Network Device Group Basis---->

Add NDG A<====> Allow show run set**

Add NDG B<====> Deny all***

In Group B----->Assign a Shell Command Authorization Set on a per Network Device Group Basis---->

Add NDG B<====> Allow show run **

ADD NDG A<====> Deny all***

** Command autho set allowing Only show run

*** Command author set that deny's every thing.

Please check this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Hope that helps !

Regards,

~JG

Do rate helpful posts

Bharat Negi Thu, 01/10/2008 - 06:47

Hi Thanks for your reply. But this thing I have already done on ACS.

After intorducing following commands on Router, it worked.

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 2 default tacacs+ local

aaa authorization commands 3 default tacacs+ local

aaa authorization commands 4 default tacacs+ local

aaa authorization commands 5 default tacacs+ local

aaa authorization commands 6 default tacacs+ local

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 8 default tacacs+ local

aaa authorization commands 9 default tacacs+ local

aaa authorization commands 10 default tacacs+ local

aaa authorization commands 11 default tacacs+ local

aaa authorization commands 12 default tacacs+ local

aaa authorization commands 13 default tacacs+ local

aaa authorization commands 14 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

Thanks for your help

Regards

Bharat

Jagdeep Gambhir Fri, 01/11/2008 - 06:23

We need to have these commands on the router. You never mentioned it in your orignal post.

Anyways , there is no need to put 15 line on the router. Just three will take care

i.e.

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

No need to count from 1 to 15.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion