AAA Different Permissions again

Answered Question
Aug 20th, 2009
User Badges:

In a previous post I asked how I could assign RO permissions when a user connects to a firewall, but RW access when they connect to a switch, I was given a Cisco Kb to follow but this only allows the user to be in a RO or RW group.. I need the same user "Joe Blogs" RO access for one device and RW for another.

Correct Answer by Jatin Katyal about 7 years 10 months ago

Under the user account >> Look for this radio option


Assign a Shell Command Authorization Set on a per Network Device Group Basis.


Attached is the screen shot of the same.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jatin Katyal Thu, 08/20/2009 - 07:23
User Badges:
  • Cisco Employee,

This is what I explained you in my last update to your POST.


Please check again.


Plz let me know if you face any issue.


Regards,

JK

networker99 Thu, 08/20/2009 - 08:03
User Badges:

I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..

Jatin Katyal Thu, 08/20/2009 - 08:56
User Badges:
  • Cisco Employee,

This can be done by creating two NDG's and map them with respective command authorization set under the same user account.


Creating NDG's

----------------

NDG1 for ASA ---add ASA as a aaa client

NDG2 for switch---add switch as aaa client.


Creating command authorization set

----------------------------------

Create two different command authorization set under shared profile component for


Switch = permit all

ASA = Deny all

and permit show only


Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's


Regards,

JK





networker99 Thu, 08/20/2009 - 09:09
User Badges:

"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.

Correct Answer
Jatin Katyal Thu, 08/20/2009 - 09:41
User Badges:
  • Cisco Employee,

Under the user account >> Look for this radio option


Assign a Shell Command Authorization Set on a per Network Device Group Basis.


Attached is the screen shot of the same.



Jatin Katyal Thu, 08/20/2009 - 10:17
User Badges:
  • Cisco Employee,

This does exist in 4.1.x


You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"



After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)






networker99 Thu, 08/20/2009 - 10:29
User Badges:

Thanks, but I only have


-None

-As Group

-Assign a Shell Command Auth for any network device

-Per User command authorization


I dont have "Based on per network device group basis"

networker99 Thu, 08/20/2009 - 10:41
User Badges:

Got it !! didnt have NDG selected under interface options

Actions

This Discussion