Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.1 setup

Hi All,

1> Created two NT groups in window

VPNusers

Networkusers

2>created two group in acs such as

Routernetworkadmin

switch networkadmin.

3> Mapped vpnusers with routernetworkadmin

   mapped networkusres with switchnetworkadmin

4> Created two NDG

Coredevices

L2devices

In coredevices add aaa client such as router,firewall, swith

in l2 devices  added only switch

5) Created two NAR

superadmin

subadmin

under superadmin added NDG coredevices

under subadmin added NDG  L2devices.

6> finally created two user say x and Y

user x is addedd under the group routeradmin group

user y is added under the group switch networkadmin

Requiremt is user x should access only devices mentioned under routeradmin group

and user y should access only devices mentioned under switch networkadmin group.

Does the above config works

  • Firewalling
7 REPLIES

ACS 4.1 setup

Hi,

If the NAR is configured correctly under the correct group, the above scenario should work.

From under the user group you need to select the NAR which decides what devices this group members can access.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

ACS 4.1 setup

Thanks

Will update once done with config

New Member

ACS 4.1 setup

Hi Amjad ,

The above mentioned config is working.

Now i need to subadmin Nar to view only following command

Such as show ip route,

show ip interface briief,

show version.

Can u guide me .

ACS 4.1 setup

This is a different story.

To restrict commands you need to define command authorization sets.

This config example can be useful about how to define command authorization sets on ACS 4.x

http://tiny.cc/3q5p1w

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

ACS 4.1 setup

Thanks for doc.

Can u just provide some additional links

New Member

ACS 4.1 setup

Hi Amjad

Below are the steps I have configured.

When i excute the command show version

I am geeting an error command authorization failed.Please help

  • Created a user in ACS such as super

  • Shared Profile Components
  • Create Shell command Autorization Set - "ReadOnly"
    • Unmatched Commands - Deny
    • Unchecked - Permit Unmatched Arg
    • Commands Added
      • interface
      • ip
      • vlan
      • version
  • Created a group - "Admin" with the following
  • Confirgured - Network Access Restrictions (NAR)
  • Max Sessions - Unlimited
  • Enable Options - No Enable Privilege
  • TACACS+ Settings
    • Shell (exec)
    • Priviledge level is check with 1 as the assigned level
    • Shell Command Authorization Set
      • "ReadOnly" - Assign a Shell Command Authorization Set for any network device

  • I have configured following on my Router/Switch
      • aaa authorization config-commands
      • aaa authorization commands 1 default group tacacs+ if-authenticated
      • aaa authorization commands 15  default group tacacs+ if-authenticated

    New Member

    ACS 4.1 setup

    Hi Amjad,

    Waiting for your suggestions.

    555
    Views
    8
    Helpful
    7
    Replies
    This widget could not be displayed.