07-19-2007 01:37 AM - edited 03-10-2019 03:17 PM
Hi,
we use a tacacs Server ACS4.0 and have different networkdevices in our network, just like MDS 9000 ACE-Module and normal CatO and IOS devices.
Now I wanted to creat a group with users with are allowed to connect to all devices as admin.
But to connect to the ACE Module i need to insert the following lines to the ACE Custom attributes: shell:ANLOS*Admin,
and for the MDS 9000 pair*shell:roles="network-admin".
When I insert the commands allone the authentication on the devices works, but when I inser both commands, the authentication on the ACE Module failed.
Is it possible to insert both commands so that it works on all devices ??
Thanks very mutch
Peter
07-19-2007 09:26 AM
Hi
This will be possible through Network Access Profiles.
Following link can give you more information on NAP:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm
As a pointer
You need to create 2 NAP's
One for ACE Module
Other for MDS 9000
In these you have to define Network Access Filters having ACE for ACE-NAP
and MDS for MDS-NAP
And for the NAP's you have to define the Radius Authorization components (attributes) to be send when the authentication happens from the devices referred in NAP.
(Both NAF and RAC can be defined in Shared Profile Components, if you cannot see them there enable them from Interface Configuration)
So now whenever the authentication will happen, ACS will look at the required NAP and for specific device send the required RAC attributes, So for ACE devices you will get only ACE attributes and for MDS you will only get MDS attributes.
Regards
Rohit
07-22-2007 11:01 PM
Not sure that will work... NAP is for RADIUS only and device admin uses TACACS+
No, the way to do it is create an admins group plus a number of Shared Device Command sets (one for each device type).
In the command authorisation section of the group setup add mapping from the AAA Clients (either at device level or NDG) to the appropriate SPC.
This way an admin user is always in the admin group, but the command authorisation change depending on the device being managed.
et voila!
Device Command Sets are explained in this excellent White Paper: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide