Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

Command Authotization on Pix 6.3 and ACS v3.3

nojpt
Level 1
Level 1

‎04-10-2006 01:05 AM - edited ‎03-10-2019 02:32 PM

Hi,

I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.

I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)

Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.

Thanks in advance!

Jonathan

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎04-11-2006 02:11 AM

Hi

On the ACS side, the config you choose very much depends on the scale of your deployment.

If you have one or two users, you can define per-user command authorisation within ACS.

If you have many users, you should do this at group level.

Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.

This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.

You may also want to use NARs to prevent certain admins even being able to logon to the device.

So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.

Then get a copy of extraxi aaa-reports! to audit your ACS logs :)

Darran

0 Helpful
Customers Also Viewed These Support Documents