05-08-2008 08:02 AM - edited 03-10-2019 03:50 PM
have ACS appliance, I have made multiiple device group and add different region devices in it. I have redudent ACS running in my enviroment. BUt when i try to add AAA server in my different Device groups i got the error that host already exist. I am only able to add AAA server in only one device group, not other.
Please tell me is it possible to have one AAA server for multiple group.
I have made 5 users and each user will only able to access one group.
Please tell me where i m missing the configuration.
05-08-2008 08:04 AM
Wasim,
There is no need to add aaa server in each NDG. We just need one server and that will take care of all aaa-clients and users.
Regards,
~JG
Do rate helpful posts
05-08-2008 01:53 PM
Thanks for the reply, now i have three groups, one group is DCN and my two AAA server added in it, Rest of three groups are without the ACS,
I have made four users and i want only one user can manage all devices in one group.
Right now ALL users in member of default user group.
How to restrict users so that they will be able to login on specific device group and do their job, not all device group.
05-08-2008 06:35 PM
Wasim,
You need to feature called NAR (Network access restrictions), please see this link,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Regards,
~JG
Do rate helpful posts
05-09-2008 01:48 PM
Thanks for the reply, it is working fine for me, but now i m not able to configure the command authorization. I obey the pattern that u send on the fourm, I did the same but still not getting user is able to do all the tasks.
i made a command authorization set as mentioned with show and deny it with unmatch argument.
because i want user only able to run show commands,
user have level 1 permission, it is also showing me in taccac administration that user have level 1 permission.
i did following configuration on cisco router for command authorization
aaa new-model
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization config-commands
tacacs-server host 172.28.31.132
tacacs-server host 172.28.31.133
tacacs-server key xxxxxxxx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: