Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
2
Replies

AAA authentication on different Cisco Devices

pprade
Level 1
Level 1

‎07-19-2007 01:37 AM - edited ‎03-10-2019 03:17 PM

Hi,

we use a tacacs Server ACS4.0 and have different networkdevices in our network, just like MDS 9000 ACE-Module and normal CatO and IOS devices.

Now I wanted to creat a group with users with are allowed to connect to all devices as admin.

But to connect to the ACE Module i need to insert the following lines to the ACE Custom attributes: shell:ANLOS*Admin,

and for the MDS 9000 pair*shell:roles="network-admin".

When I insert the commands allone the authentication on the devices works, but when I inser both commands, the authentication on the ACE Module failed.

Is it possible to insert both commands so that it works on all devices ??

Thanks very mutch

Peter

Labels:
0 Helpful
2 Replies 2

rochopra
Cisco Employee
Cisco Employee

‎07-19-2007 09:26 AM

Hi

This will be possible through Network Access Profiles.

Following link can give you more information on NAP:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm

As a pointer

You need to create 2 NAP's

One for ACE Module

Other for MDS 9000

In these you have to define Network Access Filters having ACE for ACE-NAP

and MDS for MDS-NAP

And for the NAP's you have to define the Radius Authorization components (attributes) to be send when the authentication happens from the devices referred in NAP.

(Both NAF and RAC can be defined in Shared Profile Components, if you cannot see them there enable them from Interface Configuration)

So now whenever the authentication will happen, ACS will look at the required NAP and for specific device send the required RAC attributes, So for ACE devices you will get only ACE attributes and for MDS you will only get MDS attributes.

Regards

Rohit

0 Helpful

darpotter
Level 5
Level 5
In response to rochopra

‎07-22-2007 11:01 PM

Not sure that will work... NAP is for RADIUS only and device admin uses TACACS+

No, the way to do it is create an admins group plus a number of Shared Device Command sets (one for each device type).

In the command authorisation section of the group setup add mapping from the AAA Clients (either at device level or NDG) to the appropriate SPC.

This way an admin user is always in the admin group, but the command authorisation change depending on the device being managed.

et voila!

Device Command Sets are explained in this excellent White Paper: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml

0 Helpful
Customers Also Viewed These Support Documents