ACS - Local access to ACS server - creating user accounts

steve pearson · ‎12-20-2010

Hi

I am quite familar with ACS and have granted access to resources through configuring Group Mappings to our AD including WCS acces and access to network switches.

However I want to grant access to staff to be able to create local accounts on ACS to a local ACS group. This group contains user accounts for 802.1x access to resources and so is a local ACS group only.

Is this possible?

Where abouts on the local ACS user account would I modify access to these limited functions on ACS?

ACS v4.1.

Many thanks!!

Steve

tfraij · ‎12-20-2010

Hello Steve,

you can do this under administrator priviliges.

for details , please refer to

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/a.html#wp654658

" You can grant appropriate privileges to each ACS administrator by assigning privileges on an administrator-by-administrator basis. You control privileges by selecting the options from the Administrator Privileges table on the Add Administrator or Edit Administrator pages. These options are: "

•User and Group Setup—Contains the following privilege options for the User Setup and Group Setup sections of the web interface:

–Add/Edit users in these groups—Enables the administrator to add or edit users and to assign users to the groups in the Editable groups list.

–Setup of these groups—Enables the administrator to edit the settings for the groups in the Editable groups list.

–Available Groups—Lists the user groups for which the administrator does not have edit privileges and to which the administrator cannot add users.

–Editable Groups—Lists the user groups for which the administrator does have edit privileges and to which the administrator can add users."

Best regards

Talal

============

please rate answers that you find useful , and mark as answered ( when it is :-) )

steve pearson · ‎12-21-2010

Hi Talal

Thank you for posting back!

I'm still not quite sure where I would granually set permissions to just create users in a group and have no other access, is this possible? If so the area I'm unsure about is where do you define this in the user page (bearing in mind I'm still on version 4.1 which isn't that intuitive!).

If you could help me out more that would be great!!

Thanks again

Steve

tfraij · ‎12-21-2010

Hello Steve,

for specific user (administrator), you need to go administration control ->>> click on adming name

remove all check boxes under administrator priviliges. and keep only Add/Edit users in these group.

and move that desired group only to right box.

note you can select Add/Edit users in these group, there is no option Just to add users only....

Kind regards

Talal

steve pearson · ‎12-21-2010

Brilliant! Overlooked that area of ACS!!

Thanks!

Steve

stalin_cisco · ‎05-13-2012

Dear Experts,

My boss is asking to provide below command only to desktop engineers, I saw some pre-defined group there but not sure how to customize to work only below commands.

Cisco ACS: ACS1113

show interfaces

show log

clear port-security sticky interface

Configure Terminal

interfaces

shutdown

no shutdown

Could you please advice?

Thanks,

Stalin P

Sent from Cisco Technical Support iPhone App

steve pearson · ‎05-14-2012

Sure, I'll send you some info when I'm in front of my acs server...

Sent from my iPhone