11-11-2002 06:57 AM - last edited on 03-25-2019 04:58 PM by ciscomoderator
Hi,
I want to assign different Privilege Level to a User depending to what device group he tries to login
let say :
User a should get privilege level 5 on my backbone routers
but he should get priv level 15 on all access routers? How can I do that with ACS 2.6 ? I know how to restrict users to access only some devices per IP based Network access restrictions , and i although tried the advances tacacs settings where you can state a user should only get priv 5 on some device group. but i tested it with in my lab and the user always gets priv 15 on all devices,
here`s some of my config in ACS
priv 5 for core devices
priv 15 on access devices
exec rigths and assignment of priv=15
on the IOS device :
aaa authorization exec group tacacs+ none
does anybody have some guide how to implement it ?
thanks in advance
Michael
11-11-2002 05:36 PM
On your router:
enable: aaa authentication enable group tacacs+ none
In ACS, User Setup>>Advanced TACACS+ settings, configure a privilege level for a particular device group. If your Advanced TACACS+ settings aren't visible, then enable them under Interface Configuration.
i.e. Under TACACS+ Enable Control, select Define max privilege on a per NDG basis.
Then add an association to a NDG and a privilege level.
Here's a catch though. If, on your router, you have both enabled both:
aaa authorization exec
and
aaa authentication enable,
then your user who is given shell access and priv 15 bypasses any enable authentication and also, therefore, bypasses all your TACACS+ Enable control restrictions which you just setup. So, in this case, you need to use enable authentication to control access to privilege levels, rather than aaa authorization.
For documentation reference, just look in your embedded ACS documentation under "Advanced TACACS+ Settings"
Good luck,
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide