I want to assign different Privilege Level to a User depending to what device group he tries to login
let say :
User a should get privilege level 5 on my backbone routers
but he should get priv level 15 on all access routers? How can I do that with ACS 2.6 ? I know how to restrict users to access only some devices per IP based Network access restrictions , and i although tried the advances tacacs settings where you can state a user should only get priv 5 on some device group. but i tested it with in my lab and the user always gets priv 15 on all devices,
here`s some of my config in ACS
priv 5 for core devices
priv 15 on access devices
exec rigths and assignment of priv=15
on the IOS device :
aaa authorization exec group tacacs+ none
does anybody have some guide how to implement it ?
enable: aaa authentication enable group tacacs+ none
In ACS, User Setup>>Advanced TACACS+ settings, configure a privilege level for a particular device group. If your Advanced TACACS+ settings aren't visible, then enable them under Interface Configuration.
i.e. Under TACACS+ Enable Control, select Define max privilege on a per NDG basis.
Then add an association to a NDG and a privilege level.
Here's a catch though. If, on your router, you have both enabled both:
aaa authorization exec
aaa authentication enable,
then your user who is given shell access and priv 15 bypasses any enable authentication and also, therefore, bypasses all your TACACS+ Enable control restrictions which you just setup. So, in this case, you need to use enable authentication to control access to privilege levels, rather than aaa authorization.
For documentation reference, just look in your embedded ACS documentation under "Advanced TACACS+ Settings"
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :