11-10-2011 07:43 AM - edited 03-10-2019 06:32 PM
We have an implemented of ACS 4.x which allows customers access to their own devices (defined in distinct NDGs). The NDGs are referenced in the "Shell Command Authorization Set" component of "TACACS+ Settings" under the "Assign a Shell Command Authorization Set on a per Network Device Group Basis". How would this map onto ACS 5.x rule-based functionality; would an authorization rule be require for each user?
Thanks,
Matt
11-11-2011 09:19 AM
Hi Matt
In ACS 5 you would create an authorization rule for each user or identity group. You could then add conditions to each policy to allow them access to specific devices. You would then add an authorization rule to each policy with your specific shell commands added to it.
If your authorization policies are a mixture of internal users and AD users then you would need to use a identity store sequence for each policy, rather than specifically choosing internal user or AD user. This is something I found out recently.
So the process would be
create an access service for tacacs
then create a service selection policy to match the tacacs protocol and maybe a specific device type such as cisco router.
then configure your identity within the access service
then configure your authorization policies within the access service
I'm no expert on the new ACS and I'm not 100% I'm doing it the correct way but I have done lots of testing and things are working as I want them too. I can allocate admin and or read only access to users based on their AD group.
You need to set up your NDG in a way you can be as granular as possible within your policies.
Cheers
Jay
11-14-2011 08:25 AM
Matt,
You wouldn't necessarily need an authorization policy for each user (that could turn into an unmangeable situation if you have a lot of users), as long as you can group the users based on some common criteria. For example, AD group membership if you're using AD as the user database, or local group membership if you're using local users, etc.
11-23-2011 07:41 AM
In order to avoid creating many authorization rules, can I define the Network Device Group name as an attribute of a user (either in an internal or external identity store) and use this is an authorisation rule?
11-24-2011 04:07 AM
Yes. You can create a condition based on a customer user attribute.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide