Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

ACS 5.x using of per-user Shell Command Authorisation with NDGs

We have an implemented of ACS 4.x which allows customers access to their own devices (defined in distinct NDGs). The NDGs are referenced in the "Shell Command Authorization Set" component of "TACACS+ Settings" under the "Assign a Shell Command Authorization Set on a per Network Device Group Basis". How would this map onto ACS 5.x rule-based functionality; would an authorization rule be require for each user?

Thanks,

Matt

  • AAA Identity and NAC
4 REPLIES
New Member

ACS 5.x using of per-user Shell Command Authorisation with NDGs

Hi Matt

In ACS 5 you would create an authorization rule for each user or identity group. You could then add conditions to each policy to allow them access to specific devices. You would then add an authorization rule to each policy with your specific shell commands added to it.

If your authorization policies are a mixture of internal users and AD users then you would need to use a identity store sequence for each policy, rather than specifically choosing internal user or AD user. This is something I found out recently.

So the process would be

create an access service for tacacs

then create a service selection policy to match the tacacs protocol and maybe a specific device type such as cisco router.

then configure your identity within the access service

then configure your authorization policies within the access service

I'm no expert on the new ACS and I'm not 100% I'm doing it the correct way but I have done lots of testing and things are working as I want them too. I can allocate admin and or read only access to users based on their AD group.

You need to set up your NDG in a way you can be as granular as possible within your policies.

Cheers

Jay

Cisco Employee

ACS 5.x using of per-user Shell Command Authorisation with NDGs

Matt,

You wouldn't necessarily need an authorization policy for each user (that could turn into an unmangeable situation if you have a lot of users), as long as you can group the users based on some common criteria. For example, AD group membership if you're using AD as the user database, or local group membership if you're using local users, etc.

Silver

ACS 5.x using of per-user Shell Command Authorisation with NDGs

In order to avoid creating many authorization rules, can I define the Network Device Group name as an attribute of a user (either in an internal or external identity store) and use this is an authorisation rule?

Cisco Employee

ACS 5.x using of per-user Shell Command Authorisation with NDGs

Yes. You can create a condition based on a customer user attribute.

1152
Views
5
Helpful
4
Replies
This widget could not be displayed.