https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716695#M419953 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>This will be possible through Network Access Profiles.</P><P></P><P>Following link can give you more information on NAP:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm</A></P><P></P><P>As a pointer</P><P>You need to create 2 NAP's </P><P>One for ACE Module</P><P>Other for MDS 9000 </P><P></P><P>In these you have to define Network Access Filters having ACE for ACE-NAP </P><P>and MDS for MDS-NAP</P><P></P><P>And for the NAP's you have to define the Radius Authorization components (attributes) to be send when the authentication happens from the devices referred in NAP.</P><P></P><P>(Both NAF and RAC can be defined in Shared Profile Components, if you cannot see them there enable them from Interface Configuration)</P><P></P><P>So now whenever the authentication will happen, ACS will look at the required NAP and for specific device send the required RAC attributes, So for ACE devices you will get only ACE attributes and for MDS you will only get MDS attributes.</P><P></P><P>Regards</P><P>Rohit</P><P></P></BODY></HTML> Thu, 19 Jul 2007 16:26:34 GMT rochopra 2007-07-19T16:26:34Z https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716694#M419951 <P>Hi, </P><P>we use a tacacs Server ACS4.0 and have different networkdevices in our network, just like MDS 9000 ACE-Module and normal CatO and IOS devices. </P><P>Now I wanted to creat a group with users with are allowed to connect to all devices as admin. </P><P>But to connect to the ACE Module i need to insert the following lines to the ACE Custom attributes: shell:ANLOS*Admin,</P><P>and for the MDS 9000 pair*shell:roles="network-admin".</P><P></P><P>When I insert the commands allone the authentication on the devices works, but when I inser both commands, the authentication on the ACE Module failed.</P><P>Is it possible to insert both commands so that it works on all devices ??</P><P></P><P>Thanks very mutch</P><P></P><P>Peter</P> Sun, 10 Mar 2019 22:17:04 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716694#M419951 pprade 2019-03-10T22:17:04Z https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716695#M419953 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>This will be possible through Network Access Profiles.</P><P></P><P>Following link can give you more information on NAP:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm</A></P><P></P><P>As a pointer</P><P>You need to create 2 NAP's </P><P>One for ACE Module</P><P>Other for MDS 9000 </P><P></P><P>In these you have to define Network Access Filters having ACE for ACE-NAP </P><P>and MDS for MDS-NAP</P><P></P><P>And for the NAP's you have to define the Radius Authorization components (attributes) to be send when the authentication happens from the devices referred in NAP.</P><P></P><P>(Both NAF and RAC can be defined in Shared Profile Components, if you cannot see them there enable them from Interface Configuration)</P><P></P><P>So now whenever the authentication will happen, ACS will look at the required NAP and for specific device send the required RAC attributes, So for ACE devices you will get only ACE attributes and for MDS you will only get MDS attributes.</P><P></P><P>Regards</P><P>Rohit</P><P></P></BODY></HTML> Thu, 19 Jul 2007 16:26:34 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716695#M419953 rochopra 2007-07-19T16:26:34Z https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716696#M419955 <HTML><HEAD></HEAD><BODY><P>Not sure that will work... NAP is for RADIUS only and device admin uses TACACS+</P><P></P><P>No, the way to do it is create an admins group plus a number of Shared Device Command sets (one for each device type).</P><P></P><P>In the command authorisation section of the group setup add mapping from the AAA Clients (either at device level or NDG) to the appropriate SPC.</P><P></P><P>This way an admin user is always in the admin group, but the command authorisation change depending on the device being managed.</P><P></P><P>et voila!</P><P></P><P>Device Command Sets are explained in this excellent White Paper: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml</A></P></BODY></HTML> Mon, 23 Jul 2007 06:01:51 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-on-different-cisco-devices/m-p/716696#M419955 darpotter 2007-07-23T06:01:51Z