ACS 5.5 How do I apply different command sets to a group of users.

russell_parker · ‎03-23-2014

Hi,

I have an existing ACS4.2 installation that I am migrating to a V5.5 appliance.

So far I have managed to configure the basics within V5.5, but I need to understand how to apply different command sets to the same group of users that apply to different Network Device Groups (NDG).

I will explain further:

In the existing ACS 4.2 install, I have a group of users (designers) who have access "Full Access" (configure etc) to Cisco devices in a NDG for our test environment. I will call it the TEST NDG.

This same designer group has "Read Only" access to the remainder of the network (show commands but no configuration). For the explanation I will call the NDGs NET1, NET2 and NET3.

So within the ACS4.2 Group configuration for Designers, I apply the "Read Only" command authorisation set to NET1, NET2 and NET3 along with the "Full Access" command authorisation set to TEST.

This works well in our environment and I am now trying to map the same restrictions in V5.5, but so far with no luck.

Although I have managed to add 1 command set to the Identity group (which works well), I am unsure how to add a second command set that applies to a different Device group for the same Identity Group.

Has anybody any ideas how to achieve this?

Jatin Katyal · ‎03-23-2014

Hi Russel,

Please go through a configuration example of how to set different command sets on ACS 5.x

ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

Hope this helps.

Regards,
Jatin Katyal
*Do rate helpful posts*

~Jatin