Different Permissions

Answered Question
Aug 19th, 2009

How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?

I have this problem too.
0 votes
Correct Answer by Erick Delgado about 7 years 3 months ago

Hi,

This can be done by using command shell authorization.

Please see documentation below.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

If you have any question do not hesitate to contact me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Wed, 08/19/2009 - 08:36

You can set this by using command authorization.

ACS config:

==========

Create two NDG one for ASA client and one for switch client under network configuration.

Create two different command authorization set for

Switch = permit all

ASA = Deny all

and permit show only

Now, go the user account, scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map NDG with respective command authorization set.

On the ASA:

===========

aaa authorization command LOCAL \\In order to enable command authorization\\

On the switch

=============

aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ loca

For more info, please refer this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

Let me know if you face any issue.

Regards

JK

Actions

This Discussion