topic PRIVILEGE LEVELS FOR ACS WITH AD DATABASE in Network Access Control

PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2 — Sun, 10 Mar 2019 22:12:10 GMT

How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

Jagdeep Gambhir — Fri, 08 Jun 2007 18:26:28 GMT

Hi ,

If you are using TACACS ,

Bring users/groups in at level needed

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field

If you are using RADIUS,

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host X.X.X.X key XXXX

Following is the configuration required in the Radius Server

The AV pair in the ACS -->group setup--> IETF RADIUS Attributes

[006] Service-Type = Login

/* Following is for getting the user straight in privledge mode */ to set priv 15

The AV pair in Cisco IOS/PIX RADIUS Attributes

[009\001] cisco-av-pair = shell:priv-lvl=15

For more information on above commands, please refer to the following link :-

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec

ur_c/fsaaa/index.htm

Please try the above and let me know if this helps.

Thanks

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2 — Fri, 08 Jun 2007 18:28:47 GMT

Thanks! I'll try these and get back to you.

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

Premdeep Banga — Fri, 08 Jun 2007 21:42:40 GMT

Hi,

Make sure that you have,

aaa authorization exec default group radius....

aaa authorization exec default group tacacs....

or something similar EXEC authorization command in your configuration along with authentication.

Regards,

Prem

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2 — Tue, 12 Jun 2007 16:17:07 GMT

I did and it works. I just get the following message though:

AAA/Author: config command authorization not enabled

as soon as I enter it. Following is the list of commands I have on the Switch. This is a test switch for ACS. Let me know if anything is amiss.

____________________________________

aaa new-model

aaa authentication login NO_AUTH none

aaa authentication login RADIUS line

aaa authentication login LOC_AUTH group radius line

aaa authentication enable default enable

aaa authorization exec default group tacacs+

aaa accounting send stop-record authentication failure

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

_________________________

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

Jagdeep Gambhir — Tue, 12 Jun 2007 16:28:24 GMT

Nice to know that.

Please add one more command

aaa authorization config-commands

It should fix it.

Regards,

Jagdeep

Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2 — Tue, 12 Jun 2007 16:30:06 GMT

I shall, just as soon as I find out what the command does? Please let me know.

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

htaluja_2 — Tue, 12 Jun 2007 17:18:13 GMT

A MAJOR problem. Upon executing the two commands:

aaa author exec def group tacacs+ none..I can no longer goto priv mode from my console connection. The workaround that I have created two sets of authorization execs:

aaa authorization exec NO_AUTH none

aaa authorization exec TAC_AUTH group tacacs+ none

Applied NO_AUTH to console

applied LOC_AUTH to vty.

Obviously, when you proposed the use of aaa authorization exec def group tacacs+, you did not intend the user to be unable to login to console port. So what would be the course in that case. In addition, is my solution 'best practices' or not.

Re: PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

Premdeep Banga — Tue, 12 Jun 2007 22:31:46 GMT

Hi,

Authorization is not enabled on console by default, and no matter which authorization method list you apply on console it wont take effect.

Untill you specify "aaa authorization console" command, its a hidden command.

Dont do it, as it will enable command authorization to be applied on console as well. If you want to keep console apart from command authorization, then dont specify the command. If you want console to work the way telnet/ssh does, then yes go for it.

As far as your issue goes,

you have "aaa authentication enable default enable"

Then you must be landing,

Switch>

Make sure that you have enable password configured on switch, and you are using the same enable password.

Regards,

Prem