ACS 5.4 identity difference

marco.escultura · ‎03-16-2018

Hi Cisco,

We have acs 5.4 and currently under default network access identity is set to our AD because we use it for our wireless. Is it possible to set default device admin identity to internal users without affecting the setting on default network access identity? please advise? I want to integrate our other switch on our acs but we dnt want to touch anything on the default network access identity so I want it to be on default network admin identity.

Mohammed al Baqari · ‎03-16-2018

Yes. You can create new access service and select internal-users as
identity. Then under authorization you can create a rule to match tacacs
and use it for device admin authentication.

marco.escultura · ‎03-16-2018

Hi Mohammad, thank let me try and let you know.

One more thing i run the below aaa commen on our cisco switch and after that we cannot reach the privilege mode anymore.Can help me check also if i miss something.thanks!

aaa new-model
tacacs-server host 172.16.12.120
tacacs-server key KuokCisco
ip tacacs source-interface vlan1
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+

Mohammed al Baqari · ‎03-16-2018

If you didn't save the config, reload and it will take the config out.
Basically you configured authorization without aaa server configured