AAA Different Permissions again

Answered Question
Aug 20th, 2009

In a previous post I asked how I could assign RO permissions when a user connects to a firewall, but RW access when they connect to a switch, I was given a Cisco Kb to follow but this only allows the user to be in a RO or RW group.. I need the same user "Joe Blogs" RO access for one device and RW for another.

Correct Answer by Jatin Katyal about 7 years 6 months ago

Under the user account >> Look for this radio option

Assign a Shell Command Authorization Set on a per Network Device Group Basis.

Attached is the screen shot of the same.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jatin Katyal Thu, 08/20/2009 - 07:23

This is what I explained you in my last update to your POST.

Please check again.

Plz let me know if you face any issue.

Regards,

JK

networker99 Thu, 08/20/2009 - 08:03

I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..

Jatin Katyal Thu, 08/20/2009 - 08:56

This can be done by creating two NDG's and map them with respective command authorization set under the same user account.

Creating NDG's

----------------

NDG1 for ASA ---add ASA as a aaa client

NDG2 for switch---add switch as aaa client.

Creating command authorization set

----------------------------------

Create two different command authorization set under shared profile component for

Switch = permit all

ASA = Deny all

and permit show only

Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's

Regards,

JK

networker99 Thu, 08/20/2009 - 09:09

"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.

Correct Answer
Jatin Katyal Thu, 08/20/2009 - 09:41

Under the user account >> Look for this radio option

Assign a Shell Command Authorization Set on a per Network Device Group Basis.

Attached is the screen shot of the same.

Jatin Katyal Thu, 08/20/2009 - 10:17

This does exist in 4.1.x

You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"

After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)

networker99 Thu, 08/20/2009 - 10:29

Thanks, but I only have

-None

-As Group

-Assign a Shell Command Auth for any network device

-Per User command authorization

I dont have "Based on per network device group basis"

Actions

This Discussion