Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.5 changing user password

Hi All,

1)Is it possible to disable users from changing their password in acs? The user have access to all devices.

2) Is it possible to prompt users o change enable password? Please advise.

 

Thanks

 

Everyone's tags (1)
3 REPLIES

Uncheck change password on

Uncheck change password on next login is one way under the account.

Secondly, you can set the password never to expire using the checkbox (ACS 5.5 feature).

Enable password cannot be changed on prompt basis.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Hi Rakesh,If you are looking

Hi Rakesh,

If you are looking for ACS GUI Admin rights who access ACS..... yes you can create the restricted profile in ACS to not to do any modification in ACS. But there some limitations on that... I have pasted the details in the post below.

If you don't want the end users who access network devices, servers or any system that is authenticating via cisco acs can be restricted by giving uncheck on a check box for changing the password by next login.

Usually enable password is also intergrated to the tacacs so even enable uses the same as login password.... You are restricted here to not changing enable password....

 

Understanding Roles

Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task.

You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts for more information.

Assigning Roles

You can assign roles to the internal administrator account. ACS 5.4 provides two methods to assign roles to internal administrators:

  • Static Role assignment—Roles are assigned manually to the internal administrator account.
  • Dynamic Role assignment—Roles are assigned based on the rules in the AAC authorization policy.

Assigning Static Roles

ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account. This is applicable only for the internal administrator accounts. If you choose this static option, then you must select the administrator roles for each internal administrator account manually. When an administrator is trying to access the account, if that administrator is configured in an administrator internal identity store with a static role assignment, only the identity policy is executed for authentication. The authorization policy is skipped. After successful execution of the identity policy, the administrator is assigned with the selected role for the administrator account.

Assigning Dynamic Roles

ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account.

If the administrator account is configured in an external or internal identity store and has a dynamic role assignment, ACS evaluates the authorization policy and gets a list of administrator roles and use it dynamically or Deny Access as the result. If the super admin assigns a dynamic role for an administrator and does not configure the authorization policy, then authorization of that administrator account uses the default value “deny access”. As a result, the authorization for this administrator account is denied. But, if you assign a static role for an administrator, then the authorization policy does not have any impact on authorizing that administrator.

Based on the selected role, ACS authenticates and manages the administrator access restrictions and authentications. If Deny Access is the result of the evaluation, then ACS denies access to the administrator and logs the reason for failure in the customer logs.


Note The ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not have permissions for the functions in that drawer.


 

Permissions

A permission is an access right that applies to a specific administrative task. Permissions consist of:

  • A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements.
  • Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.

A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.

 

HTH

 

Regards

Karthik

 

 

 

Cisco Employee

 PermissionsA permission is


.

 

Permissions

A permission is an access right that applies to a specific administrative task. Permissions consist of:

  •  A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements.
  •  Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.

A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.

If no permission is defined for an object, the administrator cannot access this object, not even for reading.


Note You cannot make permission changes.


 

Predefined Roles

Table 16-1 shows the predefined roles included in ACS:

 

Table 16-1 redefined Role Descriptions

Role
rivileges

ChangeAdminPassword

This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators.

ChangeUserPassword

This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users.

NetworkDeviceAdmin

This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:

  • Read and write permissions on network devices
  • Read and write permissions on NDGs and all object types in the Network Resources drawer

PolicyAdmin

This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:

  • Read and write permissions on all the elements used in policies, such as authorization profile, NDGs, IDGs, conditions, and so on
  • Read and write permissions on services policy

ReadOnlyAdmin

This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface.

This role has read-only access to all resources

ReportAdmin

This role is intended for administrators who need access to the ACS Monitoring and Report Viewer to generate and view reports or monitoring data only.

This role has read-only access on logs.

SecurityAdmin

This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:

  • Read and write permissions on internal protocol users and administrator password policies
  • Read and write permissions on administrator account settings
  • Read and write permissions on administrator access settings

SuperAdmin

The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.

SystemAdmin

This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:

  • Read and write permissions on all system administration activities except for account definition
  • Read and write permissions on ACS instances

UserAdmin

This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:

  • Read and write permissions on users and hosts
  • Read permission on IDGs

 

Uncheck change password on next login is one way under the account.

Secondly, you can set the password never to expire using the checkbox (ACS 5.5 feature)

765
Views
0
Helpful
3
Replies
CreatePlease to create content