Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Different Permissions

How can I set Cisco ACS to apply full level 15 access to a user when they connect to a switch, but read only access when they connect to a firewall?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Different Permissions

Hi,

This can be done by using command shell authorization.

Please see documentation below.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

If you have any question do not hesitate to contact me.

2 REPLIES
New Member

Re: Different Permissions

Hi,

This can be done by using command shell authorization.

Please see documentation below.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

If you have any question do not hesitate to contact me.

Cisco Employee

Re: Different Permissions

You can set this by using command authorization.

ACS config:

==========

Create two NDG one for ASA client and one for switch client under network configuration.

Create two different command authorization set for

Switch = permit all

ASA = Deny all

and permit show only

Now, go the user account, scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map NDG with respective command authorization set.

On the ASA:

===========

aaa authorization command LOCAL \\In order to enable command authorization\\

On the switch

=============

aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ loca

For more info, please refer this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

Let me know if you face any issue.

Regards

JK

~BR Jatin Katyal **Do rate helpful posts**
111
Views
0
Helpful
2
Replies