Different Permissions

Answered Question
Aug 19th, 2009

How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?

Correct Answer by Erick Delgado about 7 years 6 months ago

Hi,


This can be done by using command shell authorization.


Please see documentation below.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


If you have any question do not hesitate to contact me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Wed, 08/19/2009 - 08:36

You can set this by using command authorization.


ACS config:

==========

Create two NDG one for ASA client and one for switch client under network configuration.


Create two different command authorization set for

Switch = permit all

ASA = Deny all

and permit show only


Now, go the user account, scroll down to the Shell Command Authorization Set


Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map NDG with respective command authorization set.


On the ASA:

===========


aaa authorization command LOCAL \\In order to enable command authorization\\



On the switch

=============


aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ loca



For more info, please refer this link:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo


Let me know if you face any issue.


Regards

JK



Actions

This Discussion