cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1040
Views
0
Helpful
8
Replies

ACS 5.1 using Active Directory to manage network device Admin policy

ochalmers
Level 1
Level 1

Hi guys, we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only),  so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how.

Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?

Thanks for your help!!!

Best Regards

Oscar

2 Accepted Solutions

Accepted Solutions

yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.

Hope this helps.

~Jatin

View solution in original post

In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.

CSCtk32683    Authenticate internal DB user on external identity store

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

8 Replies 8

Jatin Katyal
Cisco Employee
Cisco Employee

Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles then edit the shell profile and choose Not in use for privilege level there.

Submit the changes and try again.

~Jatin

Hi Katyal, the normal user (Not Administrators or Operartors) are falling in the permit acces shell profile and i can not modify it.

Any ideas.

yeah you cannot edit that, it's a default shell profile. All you need to do create a new one with privilege level "not in use" and select the new shell profile for (Not Administrators or Operartors) under Default Device Admin >> authorization profile >> edit it and make changes.

Hope this helps.

~Jatin

Normal users are still falling in  permit acces shell profile, i think it is because all user match the "Identity Policy Matched Rule" which matches "protocol tacacs" i've tried to find an attribute to make a difference like the groups that we configured in the AD, but i still haven't found it.

Now i modified the identity rule and  adding a compound condition "system username" and it works, but i have to include every administrator and opertator, do you think there is an easy way to accomplish this?

You can categorise using internal groups since devices and protocol are same in both the cases.

Regards,

Jatin

~Jatin

Now it's working as expected.

One last question, is it possible that users from a same group could be authenticated using AD and others using acs internal database, i mean we could choose authentication method at user level?

Thank you so much for your help.

Regards,

Oscar

Yes you should have user on internal database and on AD too and then select user to check password against any configured database.

Create an attribute "ACS-RESERVED-Authen-ID-Store" with String type under System Administration > configuration > Dictionaries > Identity> Internal Users". and Set this attribute's corresponding value in the internal user "User1" as AD1.

Set the identity store as Internal users in Access Policies.

You can then edit the user in the internal databse as per your requirement.

Regards,

Jatin

Do rate helpful posts-

~Jatin

In case you are running acs code below ACS 5.2.0.26 patch 2 then you won't be able to avail this feature. This was an enhancement request which got fixed in ACS 5.2 patch 2.

CSCtk32683    Authenticate internal DB user on external identity store

Regards,

Jatin

Do rate helpful posts-

~Jatin