AAA policy help

Unanswered Question
Jan 10th, 2008
User Badges:

Hi All


user1 >>>GroupA & user2 >>>GroupB

Router1 >>>NDG-A & Router2 >>>NDG-B


Now,

GroupA user must have "sh run" permission on NDG-A but not on NDG-B.

GroupB user must have "sh run" permission on NDG-B but not on NDG-A.


I created two shell command authorisation set and mapped it to GroupA & GroupB. Then inside the Group, I mapped the Shell command set to NDG. Here I have two associations.

(**I have tested with single association and its working. But not not with two)


But somehow its not working.


Please help.


Regards

Bharat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jagdeep Gambhir Thu, 01/10/2008 - 06:20
User Badges:
  • Red, 2250 points or more

Bharat,

You need to set up Assign a Shell Command Authorization Set on a per Network Device Group Basis


In GroupA---> Assign a Shell Command Authorization Set on a per Network Device Group Basis---->


Add NDG A<====> Allow show run set**

Add NDG B<====> Deny all***


In Group B----->Assign a Shell Command Authorization Set on a per Network Device Group Basis---->


Add NDG B<====> Allow show run **

ADD NDG A<====> Deny all***



** Command autho set allowing Only show run

*** Command author set that deny's every thing.


Please check this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml



Hope that helps !


Regards,

~JG


Do rate helpful posts




Bharat Negi Thu, 01/10/2008 - 06:47
User Badges:

Hi Thanks for your reply. But this thing I have already done on ACS.


After intorducing following commands on Router, it worked.

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 2 default tacacs+ local

aaa authorization commands 3 default tacacs+ local

aaa authorization commands 4 default tacacs+ local

aaa authorization commands 5 default tacacs+ local

aaa authorization commands 6 default tacacs+ local

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 8 default tacacs+ local

aaa authorization commands 9 default tacacs+ local

aaa authorization commands 10 default tacacs+ local

aaa authorization commands 11 default tacacs+ local

aaa authorization commands 12 default tacacs+ local

aaa authorization commands 13 default tacacs+ local

aaa authorization commands 14 default tacacs+ local

aaa authorization commands 15 default tacacs+ local



Thanks for your help


Regards

Bharat


Jagdeep Gambhir Fri, 01/11/2008 - 06:23
User Badges:
  • Red, 2250 points or more

We need to have these commands on the router. You never mentioned it in your orignal post.


Anyways , there is no need to put 15 line on the router. Just three will take care


i.e.

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 15 default tacacs+ local


No need to count from 1 to 15.



Regards,

~JG


Do rate helpful posts


Actions

This Discussion