Privilege Assignment per Device Group

michael.kopp · ‎11-11-2002

Hi,

I want to assign different Privilege Level to a User depending to what device group he tries to login

let say :

User a should get privilege level 5 on my backbone routers

but he should get priv level 15 on all access routers? How can I do that with ACS 2.6 ? I know how to restrict users to access only some devices per IP based Network access restrictions , and i although tried the advances tacacs settings where you can state a user should only get priv 5 on some device group. but i tested it with in my lab and the user always gets priv 15 on all devices,

here`s some of my config in ACS

priv 5 for core devices

priv 15 on access devices

exec rigths and assignment of priv=15

on the IOS device :

aaa authorization exec group tacacs+ none

does anybody have some guide how to implement it ?

thanks in advance

Michael

jekrauss · ‎11-11-2002

On your router:

enable: aaa authentication enable group tacacs+ none

In ACS, User Setup>>Advanced TACACS+ settings, configure a privilege level for a particular device group. If your Advanced TACACS+ settings aren't visible, then enable them under Interface Configuration.

i.e. Under TACACS+ Enable Control, select Define max privilege on a per NDG basis.

Then add an association to a NDG and a privilege level.

Here's a catch though. If, on your router, you have both enabled both:

aaa authorization exec

and

aaa authentication enable,

then your user who is given shell access and priv 15 bypasses any enable authentication and also, therefore, bypasses all your TACACS+ Enable control restrictions which you just setup. So, in this case, you need to use enable authentication to control access to privilege levels, rather than aaa authorization.

For documentation reference, just look in your embedded ACS documentation under "Advanced TACACS+ Settings"

Good luck,

Jeff