05-31-2008 06:51 AM - edited 03-10-2019 03:52 PM
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.
06-01-2008 11:33 AM
sure there is, in the group config, TACACS+ Settings section check Shell(exec) and Privilege level boxes, in the field next to the Privilege level type in 15.
Then in Shell Command Authorization either select a shared auth profile (if defined) or to allow the execution of all commands check Per Group Command Authorization and Permit.
This will give level 15 to all the users who are the members of this group upon entering just username / PASSCODE, no enable required. This does not work with ASAs (at least I have not figured out the authorizzation sesstings in ASA), so with ASA after entering the user /PASSCODE you have to wait for the next token code to enter enable
06-01-2008 02:40 PM
That is not what I want. I want user "test1" to be able to do this:
C
*****************
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.
06-02-2008 06:25 AM
Unfortunately this option is not available at group level
Other way is using RDBMS, see this link
Action Code 105
Regards,
~JG
Do rate helpful posts
06-02-2008 05:15 PM
Excluding RDBMS, are there workarounds for
this? RDBMS is too cumbersome.
I am suprised a complex piece of software
like Cisco ACS does not offer this feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide