08-19-2009 07:43 AM - edited 03-10-2019 04:39 PM
How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?
Solved! Go to Solution.
08-19-2009 08:17 AM
Hi,
This can be done by using command shell authorization.
Please see documentation below.
If you have any question do not hesitate to contact me.
08-19-2009 08:17 AM
Hi,
This can be done by using command shell authorization.
Please see documentation below.
If you have any question do not hesitate to contact me.
08-19-2009 08:36 AM
You can set this by using command authorization.
ACS config:
==========
Create two NDG one for ASA client and one for switch client under network configuration.
Create two different command authorization set for
Switch = permit all
ASA = Deny all
and permit show only
Now, go the user account, scroll down to the Shell Command Authorization Set
Assign a Shell Command Authorization Set on a per Network Device Group Basis
Here you can map NDG with respective command authorization set.
On the ASA:
===========
aaa authorization command
On the switch
=============
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca
For more info, please refer this link:
Let me know if you face any issue.
Regards
JK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: