ACS 5.3: Manage/create groups

sudip.acharya1 — Fri, 21 Feb 2020 12:38:13 GMT

Hi,

As a Network Eng, I want the NetAdmins to use ACS for auth on their devices such as Fabric Intrcnncts, MDS switches and so on. How can I make sure once TACACS+ is configured on those devices, NetAdmins can only access those specific devices and nothing else (i.e. switches, routers, etc.)

I am new to ACS, any other tips/suggestions are appreciated.

Thanks in advance.

Re: ACS 5.3: Manage/create groups

spindoctor64 — Thu, 24 May 2012 17:15:51 GMT

1. Put all the devices that the NetAdmins are permitted to modify in one Device Group

2. Put all the NetAdmin user accounts in one Identity Group

3. Create a rule that lets NetAdmins logging into their Device Group access the device:

Go to: Access Policies > Access Services > Default Device Admin > Authorization

Click the Customize button at the bottom of the screen.

In the popup window, under Customize Conditions, move Identity Group and NDG:Device Type to the Selected: box on the right

Click OK

Click the Create button

Under Conditions:

Check the box next to Identity Group:

Use the Select button to choose your NetAdmin Identity Group

Check the box next to NDG:Device Type:

Use the Select button to choose the Device Group your NetAdmin devices belong to

Under Results:

Use the Select button to choose a Shell Profile; probably use Permit Access

Under Command Sets: Use the Select button to choose a Command Set

(Build at Policy Elements > Authorizations and Permissions > Device Administration > Command Sets)

Click the OK button.

Check the box next to this new rule, and use the ^ button to move it to the top of your list of rules.

4. Create a rule that denies access to NetAdmins trying to log into any other device:

Click the Create button

Under Conditions:

Check the box next to Identity Group:

Use the Select button to choose your NetAdmin Identity Group

Under Results:

Use the Select button to choose a Shell Profile; probably use DenyAccess

Under Command Sets: Use the Select button to choose a Command Set; probably use DenyAllCommands

Click the OK button.

Check the box next to this new rule, and use the ^ button to move it directly below the rule created in step 3.

I hope this helps, and in the future try posting ACS-type questions to the AAA, Identity and NAC forum instead of the Security Management forum.

--Chris

topic Re: ACS 5.3: Manage/create groups in Network Security

ACS 5.3: Manage/create groups

Re: ACS 5.3: Manage/create groups