cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
786
Views
8
Helpful
7
Replies

ACS 4.1 setup

prashantrecon
Level 1
Level 1

Hi All,

1> Created two NT groups in window

VPNusers

Networkusers

2>created two group in acs such as

Routernetworkadmin

switch networkadmin.

3> Mapped vpnusers with routernetworkadmin

   mapped networkusres with switchnetworkadmin

4> Created two NDG

Coredevices

L2devices

In coredevices add aaa client such as router,firewall, swith

in l2 devices  added only switch

5) Created two NAR

superadmin

subadmin

under superadmin added NDG coredevices

under subadmin added NDG  L2devices.

6> finally created two user say x and Y

user x is addedd under the group routeradmin group

user y is added under the group switch networkadmin

Requiremt is user x should access only devices mentioned under routeradmin group

and user y should access only devices mentioned under switch networkadmin group.

Does the above config works

7 Replies 7

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi,

If the NAR is configured correctly under the correct group, the above scenario should work.

From under the user group you need to select the NAR which decides what devices this group members can access.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Thanks

Will update once done with config

Hi Amjad ,

The above mentioned config is working.

Now i need to subadmin Nar to view only following command

Such as show ip route,

show ip interface briief,

show version.

Can u guide me .

This is a different story.

To restrict commands you need to define command authorization sets.

This config example can be useful about how to define command authorization sets on ACS 4.x

http://tiny.cc/3q5p1w

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Thanks for doc.

Can u just provide some additional links

Hi Amjad

Below are the steps I have configured.

When i excute the command show version

I am geeting an error command authorization failed.Please help

  • Created a user in ACS such as super

  • Shared Profile Components
  • Create Shell command Autorization Set - "ReadOnly"
    • Unmatched Commands - Deny
    • Unchecked - Permit Unmatched Arg
    • Commands Added
      • interface
      • ip
      • vlan
      • version
  • Created a group - "Admin" with the following
  • Confirgured - Network Access Restrictions (NAR)
  • Max Sessions - Unlimited
  • Enable Options - No Enable Privilege
  • TACACS+ Settings
    • Shell (exec)
    • Priviledge level is check with 1 as the assigned level
    • Shell Command Authorization Set
      • "ReadOnly" - Assign a Shell Command Authorization Set for any network device

  • I have configured following on my Router/Switch
      • aaa authorization config-commands
      • aaa authorization commands 1 default group tacacs+ if-authenticated
      • aaa authorization commands 15  default group tacacs+ if-authenticated

    Hi Amjad,

    Waiting for your suggestions.

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: