Good Day Experts,
I have a requirement to implement AAA and RBAC with ACE and ANM and need some advice.
1.We would like to have the users utilise thier AD account as thier user ID for access to the ACE modules and ANM, so Authentication is done by AD.
2. Can we use the ANM to centrally manage the RBAC, not only for access for users utilising ANM but users requiring CLI access to the ACE modules as well?
3. If the above (2) is possible, is it required to have the ACE modules and the ANM both configured to authenticate to the ACS TACACS+ server or would it be a better option to have the ANM server Authenticate directly to AD?
4. Would there be the requirement to have the ACE modules and the ANM server in their own Device Groups on ACS?
5. For (4) above, would this not be an issue Re: the same username in multiple device groups on the ACS server?
6. How would we be able to achieve this? Can we have the ACE modules authenicate to the ANM server and the ANM server authenticate to ACS?
7. We are also trying to prevent the issue of a user being autenticated and being granted Network-Monitor access as some of these users may already exist in ACS for access to existing Network devices (we will obviously apply the relevent AV-Pairs for the ACE for the users requiring access, but what about the rest?).
Any assistance would be greatly appreciated.
Please email request to firstname.lastname@example.org, and I will send back to you a set of pre-release documents related to ACE/ANM/AAA/RBAC. Those same will be posting to Cisco.com in the next 90 days.