In a previous post I asked how I could assign RO permissions when a user connects to a firewall, but RW access when they connect to a switch, I was given a Cisco Kb to follow but this only allows the user to be in a RO or RW group.. I need the same user "Joe Blogs" RO access for one device and RW for another.
Solved! Go to Solution.
This is what I explained you in my last update to your POST.
Please check again.
Plz let me know if you face any issue.
I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..
This can be done by creating two NDG's and map them with respective command authorization set under the same user account.
NDG1 for ASA ---add ASA as a aaa client
NDG2 for switch---add switch as aaa client.
Creating command authorization set
Create two different command authorization set under shared profile component for
Switch = permit all
ASA = Deny all
and permit show only
Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's
"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.
This does exist in 4.1.x
You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"
After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)
Thanks, but I only have
-Assign a Shell Command Auth for any network device
-Per User command authorization
I dont have "Based on per network device group basis"