Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.1 using Active Directory to manage network device Admin policy

Hi guys, we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only),  so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how.

Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?

Thanks for your help!!!

Best Regards

Oscar

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

ACS 5.1 using Active Directory to manage network device Admin po

yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.

Hope this helps.

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: ACS 5.1 using Active Directory to manage network device Admi

In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.

CSCtk32683    Authenticate internal DB user on external identity store

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
8 REPLIES
Cisco Employee

ACS 5.1 using Active Directory to manage network device Admin po

Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles then edit the shell profile and choose Not in use for privilege level there.

Submit the changes and try again.

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS 5.1 using Active Directory to manage network device Admin po

Hi Katyal, the normal user (Not Administrators or Operartors) are falling in the permit acces shell profile and i can not modify it.

Any ideas.

Cisco Employee

ACS 5.1 using Active Directory to manage network device Admin po

yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.

Hope this helps.

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS 5.1 using Active Directory to manage network device Admin po

Normal users are still falling in  permit acces shell profile, i think it is because all user match the "Identity Policy Matched Rule" which matches "protocol tacacs" i've tried to find an attribute to make a difference like the groups that we configured in the AD, but i still haven't found it.

Now i modified the identity rule and  adding a compound condition "system username" and it works, but i have to include every administrator and opertator, do you think there is an easy way to accomplish this?

Cisco Employee

ACS 5.1 using Active Directory to manage network device Admin po

You can categorise using internal groups since devices and protocol are same in both the cases.

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ACS 5.1 using Active Directory to manage network device Admi

Now it's working as expected.

One last question, is it possible that users from a same group could be authenticated using AD and others using acs internal database, i mean we could choose authentication method at user level?

Thank you so much for your help.

Regards,

Oscar

Cisco Employee

ACS 5.1 using Active Directory to manage network device Admin po

Yes you should have user on internal database and on AD too and then select user to check password against any configured database.

Create an attribute "ACS-RESERVED-Authen-ID-Store" with String type under System Administration > configuration > Dictionaries > Identity> Internal Users". and Set this attribute's corresponding value in the internal user "User1" as AD1.

Set the identity store as Internal users in Access Policies.

You can then edit the user in the internal databse as per your requirement.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: ACS 5.1 using Active Directory to manage network device Admi

In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.

CSCtk32683    Authenticate internal DB user on external identity store

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
563
Views
0
Helpful
8
Replies