08-20-2009 05:45 AM - edited 03-10-2019 04:39 PM
In a previous post I asked how I could assign RO permissions when a user connects to a firewall, but RW access when they connect to a switch, I was given a Cisco Kb to follow but this only allows the user to be in a RO or RW group.. I need the same user "Joe Blogs" RO access for one device and RW for another.
Solved! Go to Solution.
08-20-2009 09:41 AM
Under the user account >> Look for this radio option
Assign a Shell Command Authorization Set on a per Network Device Group Basis.
Attached is the screen shot of the same.
08-20-2009 07:23 AM
This is what I explained you in my last update to your POST.
Please check again.
Plz let me know if you face any issue.
Regards,
JK
08-20-2009 08:03 AM
I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..
08-20-2009 08:56 AM
This can be done by creating two NDG's and map them with respective command authorization set under the same user account.
Creating NDG's
----------------
NDG1 for ASA ---add ASA as a aaa client
NDG2 for switch---add switch as aaa client.
Creating command authorization set
----------------------------------
Create two different command authorization set under shared profile component for
Switch = permit all
ASA = Deny all
and permit show only
Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's
Regards,
JK
08-20-2009 09:09 AM
"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.
08-20-2009 09:41 AM
08-20-2009 09:52 AM
Doesnt exist in version 4.1
08-20-2009 10:17 AM
This does exist in 4.1.x
You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"
After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)
08-20-2009 10:29 AM
Thanks, but I only have
-None
-As Group
-Assign a Shell Command Auth for any network device
-Per User command authorization
I dont have "Based on per network device group basis"
08-20-2009 10:41 AM
Got it !! didnt have NDG selected under interface options
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide