Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3: Manage/create groups

Hi,

As a Network Eng, I want the NetAdmins to use ACS for auth on their devices such as Fabric Intrcnncts, MDS switches and so on. How can I make sure once TACACS+ is configured on those devices, NetAdmins can only access those specific devices and nothing else (i.e. switches, routers, etc.)

I am new to ACS, any other tips/suggestions are appreciated.

Thanks in advance.

1 REPLY
New Member

Re: ACS 5.3: Manage/create groups

1.  Put all the devices that the NetAdmins are permitted to modify in one Device Group

2.  Put all the NetAdmin user accounts in one Identity Group

3.  Create a rule that lets NetAdmins logging into their Device Group access the device:

     Go to:  Access Policies > Access Services > Default Device Admin > Authorization

          Click the Customize button at the bottom of the screen.

          In the popup window, under Customize Conditions, move Identity Group and NDG:Device Type to the Selected: box on the right

          Click OK

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

               Check the box next to NDG:Device Type:

                    Use the Select button to choose the Device Group your NetAdmin devices belong to

          Under Results:

               Use the Select button to choose a Shell Profile; probably use Permit Access

               Under Command Sets:  Use the Select button to choose a Command Set

                    (Build at Policy Elements > Authorizations and Permissions > Device Administration > Command Sets)

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it to the top of your list of rules.

4.  Create a rule that denies access to NetAdmins trying to log into any other device:

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

          Under Results:

               Use the Select button to choose a Shell Profile; probably use DenyAccess

               Under Command Sets:  Use the Select button to choose a Command Set; probably use DenyAllCommands

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it directly below the rule created in step 3.

I hope this helps, and in the future try posting ACS-type questions to the AAA, Identity and NAC forum instead of the Security Management forum. 

--Chris

959
Views
0
Helpful
1
Replies
CreatePlease login to create content