Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

tacacs - Authorization limitations?

Hi all,

Using tacacs, can you restrict a users rights to certain equipment while giving them full access to others?

What I mean to say is: Can "User A" have view access to Switch 1, Global config access to Switch 2, and no access to Router 1?

All using the same tacacs server.

Thanks in advance!

Andy

3 REPLIES

Re: tacacs - Authorization limitations?

Yes it can be done, Sorry I am editing my post now, did not read your question carefully.

As stated by jgambhir, you need to have different NDGs for this to work. Please note that NDGs are not visible in ACS by default, you have to enable them from the 'Interface' Page.

Regards

Farrukh

Re: tacacs - Authorization limitations?

Andy,

Yes that is possible. You can give an user different privilege on different NAS.

Here is the link for command authorization ,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

In acs , group set up , we have a option of Assign a Shell Command Authorization Set on a per Network Device Group Basis.

You can also give different enable privilege by using option-

Define max Privilege on a per network device group basis

Hope that helps

Regards,

~JG

Do rate helpful posts

Community Member

Re: tacacs - Authorization limitations?

Configure NAR and command authorization, command authorization is only supported by TACACS

157
Views
0
Helpful
3
Replies
CreatePlease to create content