Authorization,Accounting for users.

Unanswered Question
May 10th, 2010

Hello experts,


I m not much familar with ACS,I want to know other than authenticating user who are accessing routers or switches what else i can do for windows users (local corporate users )


for administrators and junior level engineers i have created authentication from the ACS but what about those who are not concern for login in routers and switches such as local corporate users,what authetication ,authorization ,and accounting i can do for them.


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Tue, 05/11/2010 - 06:30

Mathew,


Looks like you have tacacs in use.


For configuring limited access to network devices, I would suggest you to implement command authorization ( only supported by tacacs)


ACS Shell Command Authorization Sets on IOS Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo


In order to know who has ran whic command on the IOS, please go for command accounting ( again only supported by tacacs)


aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


HTH

JK


Plz rate helpul posts-

estelamathew Tue, 05/11/2010 - 08:17

hello friend ,


Well ok for the junior engineers ,but how ACS is useful for the corporate users which are not doing any IT related job for example: HR,Finnance,Resourcing,Admin,department,


i want to install ACS in university how useful it will be for universith students, I have a windows AD with Group policy flowing to each and every student,


What worth ACS will do for me in such type of scenario.


Thanks,

Jatin Katyal Wed, 05/12/2010 - 04:45

This is more of requirement/implementation question that should go to your internal team. However, I would suggest you that for those who are not doing any IT related job and you want to completely block them to use any network devices, you can configure NAR for them and for university student ACS can always server as wireless authentication validation. You can also use ACS to authenticate all internal users before they access internet. (adds more security).


Rgds,

JK


Do rate helpful posts-

estelamathew Fri, 05/21/2010 - 00:29

Hello,


You can also use ACS to  authenticate all internal users before they access internet. (adds more  security).


This can be done by windows group poilicy,by not allowing access to internet ,why i shld require ACS,but How this can be acheive by ACS???


I would suggest you that for those  who are not doing any IT related job and you want to completely block  them to use any network devices, you can configure NAR


which network devices you mean to say??? when they dont have any password for routers and switches to access,what is the advantage of doing NAR on those users.


university student ACS can always serve as wireless authentication validation


Without the access point key nobody can access wirless access point for internet,but suppose if i allow wireless authentication through ACS for them i can do AAA for wireless users,How i can achieve this.????? pls mail me the steps or link.


I m very much new to ACS actually i dont know the benefits of this and how i can it be worth for such university and non IT related users, please guide me with FINAL STEPS  what i shld configure for NON IT related user


Thanks for ur support Jkatyal,and also having to be patient for my  question, i appreciate ur replies,

Actions

This Discussion