LMS with ACS - User Privileges

yankeepwr · ‎05-14-2009

Have LMS3.1 integrated with ACS and have set a group in ACS as Help Desk. Privileges seem correct in ACS and CiscoWorks as to CiscoWorks access for this level. However, a user re-assigned from default PL 15 to Help Desk privilege level can still access and configure devices via the Device Center - Telnet command.

What is the easiest or most direct way to limit this user to "no enable"? Change every (default) enable password, or program custom privilege level?

luijimen · ‎05-28-2009

Hi.

The Device Center > Telnet option just opens a direct Telnet session to the device using the default tool in the workstation. The authorization for this process is not handled by the ACS server.

The ACS only handles the authorization to access CiscoWorks features, for example, editing credentials, adding devices, creating jobs, etc.

You will need to have TACACS+ (for example) configured on your network devices, so that the TACACS+ server authorizes the user to run commands in a Telnet session.

yankeepwr · ‎05-29-2009

Thanks for your reply. I was incomplete in my description.

We have approximately 800 switch and router devices managed by CW with ACS integration via TACAS+. Initially we allowed several individuals level 15 priviledge access via TACAS+ and a single group of ACS netork admins, relying on the expertese of same.

The network expanded rapidly as did this group of sys admins (sound familiar?). Individual responsibilities expanded and changed.

Now we want to ratchet down the list of users with unlimited access but provide more limited access and prividges to some of the experienced analysts who have been promoted beyond the day to day responsibilities system configurations. Further, we want to grant help desk level, system wide monitoring access to these and others less experienced such as desktop and server management.

Access via CiscoWorks allows monitoring capabilities at the help desk level, but unless I define a seperate priviledge level to a seperate group for these users and change the original enable password, the users previously assigned the original users group in ACS tacas+ would still be able to back door the devices (via Device Center - Telnet)and use the original enable password to reconfigure the devices.

Again, am I correct in my thinking that I must:

1.) assign them to a seperate group with a reduced privildge level,

2.) define this priviledge level in all affected devices (to match the capability of monitoring, not configuring all devices), and

3.) change the existing enable password on all devices to prevent application of previous enable password to achieve level 15 via Device Center Telnet/ssh back door.

Or, is there a more straightforward method I am missing via ACS TACAS+ and CiscoWorks?

luijimen · ‎06-01-2009

Hi,

Thanks for the detailed description, I hope I understood correctly.

The steps you describe should achieve what you want, but I believe an easier way can be used.

Make sure to allow the correct privilege level in the TACACS+ side, in order to prevent manual Telnet to the devices.

Second, you can edit the permissions for the Help Desk or any other Role you have assigned for these group in the ACS server. This is done under Shared Profile Components. Select Common Services and the Role the users currently have; HelpDesk for example.

UNSELECT the Device Center checkbox and you should have removed the permission to access Device Center, and therefore the Telnet option on the HelpDesk role.

Please let me know if I misunderstood your scenario.

Regards.