08-20-2009 05:45 AM - edited 03-10-2019 04:39 PM
In a previous post I asked how I could assign RO permissions when a user connects to a firewall, but RW access when they connect to a switch, I was given a Cisco Kb to follow but this only allows the user to be in a RO or RW group.. I need the same user "Joe Blogs" RO access for one device and RW for another.
Solved! Go to Solution.
08-20-2009 09:41 AM
Under the user account >> Look for this radio option
Assign a Shell Command Authorization Set on a per Network Device Group Basis.
Attached is the screen shot of the same.
08-20-2009 07:23 AM
This is what I explained you in my last update to your POST.
Please check again.
Plz let me know if you face any issue.
Regards,
JK
08-20-2009 08:03 AM
I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..
08-20-2009 08:56 AM
This can be done by creating two NDG's and map them with respective command authorization set under the same user account.
Creating NDG's
----------------
NDG1 for ASA ---add ASA as a aaa client
NDG2 for switch---add switch as aaa client.
Creating command authorization set
----------------------------------
Create two different command authorization set under shared profile component for
Switch = permit all
ASA = Deny all
and permit show only
Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's
Regards,
JK
08-20-2009 09:09 AM
"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.
08-20-2009 09:41 AM
08-20-2009 09:52 AM
Doesnt exist in version 4.1
08-20-2009 10:17 AM
This does exist in 4.1.x
You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"
After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)
08-20-2009 10:29 AM
Thanks, but I only have
-None
-As Group
-Assign a Shell Command Auth for any network device
-Per User command authorization
I dont have "Based on per network device group basis"
08-20-2009 10:41 AM
Got it !! didnt have NDG selected under interface options
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: