08-19-2009 07:43 AM - edited 03-10-2019 04:39 PM
How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?
Solved! Go to Solution.
08-19-2009 08:17 AM
Hi,
This can be done by using command shell authorization.
Please see documentation below.
If you have any question do not hesitate to contact me.
08-19-2009 08:17 AM
Hi,
This can be done by using command shell authorization.
Please see documentation below.
If you have any question do not hesitate to contact me.
08-19-2009 08:36 AM
You can set this by using command authorization.
ACS config:
==========
Create two NDG one for ASA client and one for switch client under network configuration.
Create two different command authorization set for
Switch = permit all
ASA = Deny all
and permit show only
Now, go the user account, scroll down to the Shell Command Authorization Set
Assign a Shell Command Authorization Set on a per Network Device Group Basis
Here you can map NDG with respective command authorization set.
On the ASA:
===========
aaa authorization command
On the switch
=============
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ loca
For more info, please refer this link:
Let me know if you face any issue.
Regards
JK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide