AAA/Secure ACS Authentication- Different privilege levels
I have an IOS config/Secure ACS server question. If I want local users set up on a switch to log in and go straight to the Enable prompt (Privilege level 15), and have 2 different groups of users authenticated through Secure ACS to a Windows database set into 2 different groups, one with full level 15 access, and one group with Sh command access (including sh run), what would be the best way of setting this up? I have tried several different config options, but cannot make it work completely.
Re: AAA/Secure ACS Authentication- Different privilege levels
The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, CiscoSecure ACS can be used with command authorization per network device to restrict network administrators as necessary. Using local authentication restricts the administrative access policy to no login on a device or using privilege levels to control access. Controlling access by means of privilege levels is cumbersome and not very scalable. This requires that the privilege levels of specific commands are altered on the AAA client device and specific privilege levels are defined for the user login. It is also very easy to create more problems by editing command privilege levels. Using command authorization on CiscoSecure ACS does not require that you alter the privilege level of controlled commands. The AAA client sends the command to CiscoSecure ACS to be parsed and CiscoSecure ACS determines whether the administrator has permission to use the command. The use of AAA allows authentication on any AAA client to any user on CiscoSecure ACS and limits access to these devices on a per-AAA client basis
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :