Different privelege level for Active directory users

Answered Question
May 19th, 2008
User Badges:

Hi,

We have integrated Acs 4.1se with windows active directory.now we need to give certain users full privige to some client devices and only show level privilege to some devices.what is the neccessary steps required in ACS and ACS clients.Also how much time the dynamic users will remain in ACSthanks in advance


Correct Answer by Jagdeep Gambhir about 8 years 11 months ago

Also in acs one user or aaa-client can't be a part of more then one group.




Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jagdeep Gambhir Mon, 05/19/2008 - 07:30
User Badges:
  • Red, 2250 points or more

Command authorization will work only with TACACS and not with Radius. If you are using tacacs then checkout this link,


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml



If you want to pass only the privilege level then we need to pass via av pair. See the attachment.


Dynamic user will stay till the time you manually remove it.



Regards,

~JG


Do rate helpful posts



anva12345 Tue, 05/20/2008 - 00:22
User Badges:

Thaks alot for the link.we are using tacacs only.

Is it possible for a user to be a part of more than one usergroup and client device to be part of more than one Network device group?



anva12345 Tue, 05/20/2008 - 03:30
User Badges:

Hi

I forgot to add one more query


After configuring neccessary steps in ACS for command authorization ,I am not able to to get into enable mode for Priv level 1 user.(read only access).I set priv level 1 under TACACS+ settings section,Because i want to give only show access(all show commands) to certain devices


Following error recived for enable command in router


Command authorization failed.


For read& write access it is working fine.these r the configuration in router


aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local


Jagdeep Gambhir Tue, 05/20/2008 - 06:18
User Badges:
  • Red, 2250 points or more

Hi,

If you are using command authorization then privilage doesn't matter.


Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.


Note : Having priv 15 does not mean that user will able to issue all commands.


We will set up command authorization on acs to have control on users.


This is how your config should look,


aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



Check out this link

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml




Regards,

~JG



Correct Answer
Jagdeep Gambhir Tue, 05/20/2008 - 06:23
User Badges:
  • Red, 2250 points or more

Also in acs one user or aaa-client can't be a part of more then one group.




Regards,

~JG

anva12345 Tue, 05/20/2008 - 07:54
User Badges:

Thanks very much Jgambhir,Now it is working fine

Actions

This Discussion