Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
5
Helpful
4
Replies

ACS 5.x using of per-user Shell Command Authorisation with NDGs

mmelbourne
Level 5
Level 5

‎11-10-2011 07:43 AM - edited ‎03-10-2019 06:32 PM

We have an implemented of ACS 4.x which allows customers access to their own devices (defined in distinct NDGs). The NDGs are referenced in the "Shell Command Authorization Set" component of "TACACS+ Settings" under the "Assign a Shell Command Authorization Set on a per Network Device Group Basis". How would this map onto ACS 5.x rule-based functionality; would an authorization rule be require for each user?

Thanks,

Matt

Labels:
0 Helpful
4 Replies 4

c-computershare
Level 1
Level 1

‎11-11-2011 09:19 AM

Hi Matt

In ACS 5 you would create an authorization rule for each user or identity group. You could then add conditions to each policy to allow them access to specific devices. You would then add an authorization rule to each policy with your specific shell commands added to it.

If your authorization policies are a mixture of internal users and AD users then you would need to use a identity store sequence for each policy, rather than specifically choosing internal user or AD user. This is something I found out recently.

So the process would be

create an access service for tacacs

then create a service selection policy to match the tacacs protocol and maybe a specific device type such as cisco router.

then configure your identity within the access service

then configure your authorization policies within the access service

I'm no expert on the new ACS and I'm not 100% I'm doing it the correct way but I have done lots of testing and things are working as I want them too. I can allocate admin and or read only access to users based on their AD group.

You need to set up your NDG in a way you can be as granular as possible within your policies.

Cheers

Jay

0 Helpful

Javier Henderson
Level 4
Level 4

‎11-14-2011 08:25 AM

Matt,

You wouldn't necessarily need an authorization policy for each user (that could turn into an unmangeable situation if you have a lot of users), as long as you can group the users based on some common criteria. For example, AD group membership if you're using AD as the user database, or local group membership if you're using local users, etc.

0 Helpful

mmelbourne
Level 5
Level 5
In response to Javier Henderson

‎11-23-2011 07:41 AM

In order to avoid creating many authorization rules, can I define the Network Device Group name as an attribute of a user (either in an internal or external identity store) and use this is an authorisation rule?

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to mmelbourne

‎11-24-2011 04:07 AM

Yes. You can create a condition based on a customer user attribute.

Customers Also Viewed These Support Documents