How to configure the full access privilege to some of NDG groups.

chaitu_kranthi · ‎02-03-2009

Hi,

we are using cisco ACS 4.2 version. In that i am having around 150 NDG group. and from the user side we have to group namely read only group & administrator group.

Now problem for me is for few of the NDG groups read only users require previlege 15 access.

Can somebody help me how to do the configurations for this.

jhillend · ‎02-03-2009

OK, first, in the Interface Configuration, make sure "Per-user TACACS+/RADIUS Attributes" is selected. Next in each of the user configurations that require special privilege configuration, go to "Advanced TACACS+ Settings" and under "TACACS+ Enable Control:" select "Define max Privilege on a per network device group basis" and configure the privilege level with the appropriate NDG.

chaitu_kranthi · ‎02-04-2009

Hi,

Thanks for your quick reply.

i have done all the things as mentioned by you, still i am getting the error as below.

Command authorization failed.

My existing configuration in the device as follows:

APMPLSCR1#sh run | inc tacacs

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

ip tacacs source-interface GigabitEthernet0/0

tacacs-server host 100.6.5.44

tacacs-server timeout 15

tacacs-server key 7 09581A1D4D5514