cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
630
Views
0
Helpful
3
Replies

tacacs - Authorization limitations?

andrew-susag
Level 1
Level 1

Hi all,

Using tacacs, can you restrict a users rights to certain equipment while giving them full access to others?

What I mean to say is: Can "User A" have view access to Switch 1, Global config access to Switch 2, and no access to Router 1?

All using the same tacacs server.

Thanks in advance!

Andy

3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

Yes it can be done, Sorry I am editing my post now, did not read your question carefully.

As stated by jgambhir, you need to have different NDGs for this to work. Please note that NDGs are not visible in ACS by default, you have to enable them from the 'Interface' Page.

Regards

Farrukh

Jagdeep Gambhir
Level 10
Level 10

Andy,

Yes that is possible. You can give an user different privilege on different NAS.

Here is the link for command authorization ,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

In acs , group set up , we have a option of Assign a Shell Command Authorization Set on a per Network Device Group Basis.

You can also give different enable privilege by using option-

Define max Privilege on a per network device group basis

Hope that helps

Regards,

~JG

Do rate helpful posts

aneelaka
Level 1
Level 1

Configure NAR and command authorization, command authorization is only supported by TACACS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: