Have LMS3.1 integrated with ACS and have set a group in ACS as Help Desk. Privileges seem correct in ACS and CiscoWorks as to CiscoWorks access for this level. However, a user re-assigned from default PL 15 to Help Desk privilege level can still access and configure devices via the Device Center - Telnet command.
What is the easiest or most direct way to limit this user to "no enable"? Change every (default) enable password, or program custom privilege level?
Thanks for your reply. I was incomplete in my description.
We have approximately 800 switch and router devices managed by CW with ACS integration via TACAS+. Initially we allowed several individuals level 15 priviledge access via TACAS+ and a single group of ACS netork admins, relying on the expertese of same.
The network expanded rapidly as did this group of sys admins (sound familiar?). Individual responsibilities expanded and changed.
Now we want to ratchet down the list of users with unlimited access but provide more limited access and prividges to some of the experienced analysts who have been promoted beyond the day to day responsibilities system configurations. Further, we want to grant help desk level, system wide monitoring access to these and others less experienced such as desktop and server management.
Access via CiscoWorks allows monitoring capabilities at the help desk level, but unless I define a seperate priviledge level to a seperate group for these users and change the original enable password, the users previously assigned the original users group in ACS tacas+ would still be able to back door the devices (via Device Center - Telnet)and use the original enable password to reconfigure the devices.
Again, am I correct in my thinking that I must:
1.) assign them to a seperate group with a reduced privildge level,
2.) define this priviledge level in all affected devices (to match the capability of monitoring, not configuring all devices), and
3.) change the existing enable password on all devices to prevent application of previous enable password to achieve level 15 via Device Center Telnet/ssh back door.
Or, is there a more straightforward method I am missing via ACS TACAS+ and CiscoWorks?
Thanks for the detailed description, I hope I understood correctly.
The steps you describe should achieve what you want, but I believe an easier way can be used.
Make sure to allow the correct privilege level in the TACACS+ side, in order to prevent manual Telnet to the devices.
Second, you can edit the permissions for the Help Desk or any other Role you have assigned for these group in the ACS server. This is done under Shared Profile Components. Select Common Services and the Role the users currently have; HelpDesk for example.
UNSELECT the Device Center checkbox and you should have removed the permission to access Device Center, and therefore the Telnet option on the HelpDesk role.
Please let me know if I misunderstood your scenario.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...