Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.3 - User is assigned more that one group

I am using ACS 3.3 and would like to assign a privilege to someone who have full right for switch and read-only for router. However, ACS only allow assigned single group in user setup. How can I configure for meet this requirement?

Thank You.

Ray

8 REPLIES
Community Member

Re: ACS 3.3 - User is assigned more that one group

Hi,

You may categorize network devices (AAA Clients) in two NDG's such as Switches and Routers and set different authroization levels based on NDG's

Regards,

Ahmed

Community Member

Re: ACS 3.3 - User is assigned more that one group

Hi Ahmed,

Some staffs need a full right for all network devices, but I cannot add a same device into the other NDG. It said that IP is conflict with other NDG.

BR

Ray

Re: ACS 3.3 - User is assigned more that one group

Ray,

If you have configured command authorization then you can use option

"Assign a Shell Command Authorization Set on a per Network Device Group Basis "

Or

"Define max Privilege on a per network device group basis"

These option are in group set up. However if you don't see it then go to interface configuration----> Tacacs---->Enable advance tacacs options.

Regards,

~JG

Community Member

Re: ACS 3.3 - User is assigned more that one group

JG,

I have not found "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option in group setup. Do I need to enable something for activate it?

Thank you.

Ray

Silver

Re: ACS 3.3 - User is assigned more that one group

You need to switch the feature on under interface config... On the TACACS+ sub page enable the shell service.

In group setup you should then see the shell command device command authorisation section. You probably need to have some NDGs setup too.

Its also best to define the shell device command sets (under shared profile components) first. That way when you edit a group all you need to is choose which NDGs are assigned a particular DCS.

Community Member

Re: ACS 3.3 - User is assigned more that one group

Hi,

I saw a "Shell Command Authorization" section, but there only have 3 options which are:

1. None

2. Assign a Shell Command Authorization Set for any network device

3. Per Group Command Authorization

There have not "Assign a Shell Command Authorization Set on a per Network Device Group Basis" option.

Do I missing anything?

Thank you.

Ray

Re: ACS 3.3 - User is assigned more that one group

Make sure you go to interface configuration----> Tacacs---->Enable advance tacacs options.

go to interface configuration----> Advanced option ----> Check all related to NAR--->restrt acs services.

It should be there

~JG

Community Member

Re: ACS 3.3 - User is assigned more that one group

Hi JG

Thank you very much. I found it.

Ray

180
Views
0
Helpful
8
Replies
CreatePlease to create content