06-15-2012 04:35 PM - edited 03-10-2019 07:12 PM
Hi guys, we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only), so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how.
Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?
Thanks for your help!!!
Best Regards
Oscar
Solved! Go to Solution.
06-15-2012 05:14 PM
yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.
Hope this helps.
06-15-2012 07:13 PM
In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.
CSCtk32683 Authenticate internal DB user on external identity store
Regards,
Jatin
Do rate helpful posts-
06-15-2012 04:42 PM
Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles then edit the shell profile and choose Not in use for privilege level there.
Submit the changes and try again.
06-15-2012 05:10 PM
Hi Katyal, the normal user (Not Administrators or Operartors) are falling in the permit acces shell profile and i can not modify it.
Any ideas.
06-15-2012 05:14 PM
yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.
Hope this helps.
06-15-2012 05:56 PM
Normal users are still falling in permit acces shell profile, i think it is because all user match the "Identity Policy Matched Rule" which matches "protocol tacacs" i've tried to find an attribute to make a difference like the groups that we configured in the AD, but i still haven't found it.
Now i modified the identity rule and adding a compound condition "system username" and it works, but i have to include every administrator and opertator, do you think there is an easy way to accomplish this?
06-15-2012 06:15 PM
You can categorise using internal groups since devices and protocol are same in both the cases.
Regards,
Jatin
06-15-2012 06:38 PM
Now it's working as expected.
One last question, is it possible that users from a same group could be authenticated using AD and others using acs internal database, i mean we could choose authentication method at user level?
Thank you so much for your help.
Regards,
Oscar
06-15-2012 06:51 PM
Yes you should have user on internal database and on AD too and then select user to check password against any configured database.
Create an attribute "ACS-RESERVED-Authen-ID-Store" with String type under System Administration > configuration > Dictionaries > Identity> Internal Users". and Set this attribute's corresponding value in the internal user "User1" as AD1.
Set the identity store as Internal users in Access Policies.
You can then edit the user in the internal databse as per your requirement.
Regards,
Jatin
Do rate helpful posts-
06-15-2012 07:13 PM
In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.
CSCtk32683 Authenticate internal DB user on external identity store
Regards,
Jatin
Do rate helpful posts-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide