topic Default Device Admin (Tacacs+) in Network Access Control

Default Device Admin (Tacacs+)

thanmad — Mon, 11 Mar 2019 01:10:39 GMT

ACS 5.1

Default Device Admin

Identity:

Single Result (internal list and AD1)

Group Mapping:

Rule1:(anyone in AD/Administrators=Group/AdminGroup)

Default: Standard user

Authorization:

Rule1: (anyone in Group/AdminGroup, permit all commands)

Default: Deny All Commands

Here's my situation:

User1 (AD/Administrator)

UserBob (NOT in AD/Administrator)

User1 Logs into a switch, types "enable" is asked to authenticate again, and can then run all commands (this is what i'm looking for, though i dislike the second login)

UserBob Logs into a switch, types "enable" is asked to authenticate again, but gets error "% Error in Authentication" (i do not want UserBob to even be able to log into the switch to begin with)

So my question is:

How do i keep UserBob from being able to log into the switch?

How do I get User1 to enter level 15 (Switch# instead of Switch>) automatically without being prompted to enter their password a second time after typing "enable"?

As i understand it, "Default Device Admin" is different than "Default Network Access" which i liken to "logging into switches" vs. "authenticating against VPN server or Wireless" respectively. So i should be able to restrict users from logging into switches, but still allow them to authenticate for access to things like VPN, so i don't think what i'm asking above will keep me from being able to do that.

Ideas?

Default Device Admin (Tacacs+)

Devashree Chakrabarti — Tue, 21 Jun 2011 06:46:13 GMT

Hello

Q1 : How do i keep UserBob from being able to log into the switch?

Configure NAR [network access restriction] and restrict the user to "not-to" access switch.

Q2 : How do I get User1 to enter level 15 (Switch# instead of Switch>) automatically without being prompted to enter their password a second time after typing "enable"?

You need to configure exec authorization on switch and push "privlege level = 15" to make User1 fall on switch# mode.

The command on switch will be :

aaa authorization exec default group tacacs local

Let me know if it helps.

thanks

Devashree

Default Device Admin (Tacacs+)

thanmad — Tue, 21 Jun 2011 20:45:24 GMT

You've lost me, on both fronts:

Q1: i knew where NAR was in 4.x, but there's nothing called NAR in 5.1. I see Policy Elements>Session Conditions>NetworkConditions>End Station Filters, but no way to tie that to users...

Q2: I have this command in my switch, i see no way to specify level 15 in ACS.

Default Device Admin (Tacacs+)

Nicolas Darchis — Wed, 22 Jun 2011 05:41:32 GMT

There is no NAR in ACS 5. Forget about that.

Well, you are authenticating the user but not authorizing him to any commands for the moment.

You said your default authorization rule returns "denyallcommands". That is good but it should also return the shell profile "deny access". Did you verify that ?

Default Device Admin (Tacacs+)

thanmad — Fri, 24 Jun 2011 15:21:42 GMT

Thanks Master Vader

You were correct, my default authorization rule had permit access in it. Once i changed it to Deny Access it worked flawlessly.

Any ideas how i set groups to get level 15 access by default?

Jon

Default Device Admin (Tacacs+)

Nicolas Darchis — Mon, 27 Jun 2011 05:57:14 GMT

Instead of returning "permit access", return a shell profile that you will have created. That's where you can define the privilege level and other common shell properties.

Nicolas

Default Device Admin (Tacacs+)

Vinay Sharma — Mon, 27 Jun 2011 09:59:20 GMT

Thanks Nico ......5+

Vinay Sharma

Community Manager - Wireless

Cisco Support Community

Default Device Admin (Tacacs+)

thanmad — Mon, 27 Jun 2011 16:29:30 GMT

Thanks, I have two entries in my shell profile for privelige level: Default Privilege and Maximum Privilege. Maximum Privelige was already set to 15. Setting both to 15 does not fix the issue. Setting only Default Privilege to 15 results in me not being able to access enable on the switch (error in authentication).

Ideas?

Default Device Admin (Tacacs+)

Nicolas Darchis — Mon, 27 Jun 2011 16:32:28 GMT

For the particular problem of logging twice, it is actually the command "aaa authorization exec" which allows users to land directly in enable mode or not.

Default Device Admin (Tacacs+)

thanmad — Mon, 27 Jun 2011 18:55:27 GMT

Ahh, found the problem. This apparently only works on VTY connections, i've been doing my testing with the console connection.

once i tried this on my VTY session it works flawlessly.

thanks again for sharing your dark side of the force