Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA/Secure ACS Authentication- Different privilege levels

I have an IOS config/Secure ACS server question. If I want local users set up on a switch to log in and go straight to the Enable prompt (Privilege level 15), and have 2 different groups of users authenticated through Secure ACS to a Windows database set into 2 different groups, one with full level 15 access, and one group with Sh command access (including sh run), what would be the best way of setting this up? I have tried several different config options, but cannot make it work completely.

Thanks for your help!


Re: AAA/Secure ACS Authentication- Different privilege levels

The type of access is also an important consideration. If there are to be different administrative access levels to the AAA clients, or if a subset of administrators is to be limited to certain systems, CiscoSecure ACS can be used with command authorization per network device to restrict network administrators as necessary. Using local authentication restricts the administrative access policy to no login on a device or using privilege levels to control access. Controlling access by means of privilege levels is cumbersome and not very scalable. This requires that the privilege levels of specific commands are altered on the AAA client device and specific privilege levels are defined for the user login. It is also very easy to create more problems by editing command privilege levels. Using command authorization on CiscoSecure ACS does not require that you alter the privilege level of controlled commands. The AAA client sends the command to CiscoSecure ACS to be parsed and CiscoSecure ACS determines whether the administrator has permission to use the command. The use of AAA allows authentication on any AAA client to any user on CiscoSecure ACS and limits access to these devices on a per-AAA client basis

CreatePlease to create content