CS ACS v2.3->v4.0 Multiple Command Authorization Sets

skingry · ‎01-25-2007

I have a situation where I need members of the same group to have different TACACS command authorization depending upon the device that they are logged into. In the old Unix software (v2.3 I think it is), this was easy to implement. However, I have not figured out how to do it in the newer Windows software (v4.0). The closest I have gotten is that it looks like one can have different command authorization sets for different NDGs (all assigned to the same group), but I?ve only figured out how to make a device and more importantly, the AAA server, a member of one NDG!?

darpotter · ‎01-26-2007

Hi

Generally the AAA server itself doesnt need to be in an NDG, just leave it in "Default".

But your approach is sound, by adding NDG->DCS mappings you are in effect creating "Role based access control".

Design of the NDGs is critical as you can only have a single topology, ie one device cant be in multiple NDGs.

The obvious example is geography, where ACS users in the admins group get a full access DCS for their own locale and more restricted (or read only) access to others.

There's an excellent white paper by Andrew Clymer still on cisco.com at http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml

Darran

skingry · ‎02-06-2007

Thank you much for the reply and link, and I apologize for my tardiness in responding. I had tried a couple of times w/o success to leave the AAA server in the default group, but after reading the white paper and your response, I decided that I probably had something else the problem as well.

The problem turned out to be a Shell Command Authorization Set with an invalid naming convention. Well, no errors were generated in the GUI, but it wasn?t working. I renamed the set with letters only, and all is well.