Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
6
Replies

ACS 5.2 Identity Base Authentication

pemasirid
Level 1
Level 1

‎07-04-2011 08:38 AM - edited ‎03-10-2019 06:12 PM

Hi,

I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.

1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command

2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"

3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets

All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.

Appreciate if someone can advise me what is I'm missing here.

thanks

Labels:
Preview file
2157 KB
0 Helpful
6 Replies 6

andamani
Cisco Employee
Cisco Employee

‎07-04-2011 09:37 PM

Hi,

The configuration seems fine. What do the logs in the reoprts show? which authorization profile is it falling ?

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

jrabinow
Level 7
Level 7
In response to andamani

‎07-04-2011 10:04 PM

It looks to me that rules 3 and 6 are have the same conditions and so rule 6 will never be hit (hard to be sure 100% in case the screen shot is truncated)

In general can debug such issues as follows:

- using hit counts. reset the hit counts before starting the test and refreshing after the test completes

- looking at the authentication details. for each pass/fail record can click on the details icon and see the full details for the request. This includes all the attributes used when processing the request and the name of the rule that was hit in each policy

0 Helpful

pemasirid
Level 1
Level 1
In response to andamani

‎07-05-2011 02:25 AM

Hi Anisha/jrabinow.

Actually its hitting correct authorization profile, but still I'm seeing first it goes to different access service (xxxx Sec Admin), Attached is the detailed log I got from the ACS...

Meanwhile appreciate if you can send me any configuration document for this senario?

Regards,

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to pemasirid

‎07-05-2011 03:42 AM

Hi,

how did you figure out that it is hitting the other access service?

Regards,

Anisha

0 Helpful

pemasirid
Level 1
Level 1
In response to andamani

‎07-05-2011 03:46 AM

Thanks Anisha for your response..

If you look at the Access Service policy its not the one I wanted. I already created one Access Policy call "RestrictedAcees" and I cant see that is hitting..

Do you have any configuraiton document for this senario or any working settings..?

0 Helpful

jrabinow
Level 7
Level 7
In response to pemasirid

‎07-05-2011 03:53 AM

As I mentioned if you look in Service Selection rules; rule number 3 (name=Rule-2) and rule number 6 (name:RestricAccess) have precisely the same conditions. The policy is first match and so rule 6 will never matched. If you want rule 6 to take effect instead of 3 either disable or delete rule number 3 (name:Rule-2)

0 Helpful
Customers Also Viewed These Support Documents