09-09-2012 05:40 AM - edited 03-10-2019 07:31 PM
Hi Experts,
Need Urgent help.
I have installed ACS 5.3.0.40 sucessfully and done the authentication through ACS using TACACS+ protocol.
Two users are created Admin and Contractor.
I also want to do the authorization. Lets say when i telnet to device 192.168.1.1 with user admin it should have all the privilege level upto 15 and when i telnet to the same device with user contractor it should get the privilege level 5.
Authentication to the ACS works fine but want to configure authorization and accounting.
How the accounting will work on ACS 5.3.
i configure the folowing commands on switches.
aaa new-model
!
!
aaa authentication login acsserver group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
ip tacacs source-interface Vlan172
tacacs-server host 192.168.60.10 key cisco123
tacacs-server directed-request
line vty 0 4
login authentication acsserver
authorization commands 0 default
authorization commands 1 default
authorization commands 5 default
Looking for any replies, its a urgent requirement.
09-09-2012 08:08 AM
Hi Fazal ,
on the ACS side , you need to configure 2 shell-profile , the first one to set default privilege level to 15 and the second one to 5 , in the result for the "default device administration" rules needs to be set as the following :
rule 1 :- condition 1 if user "admin" comes in , result is shell profile 1 (priv-level 15)
rule 2:- condition 2 if user "contractor" comes in , result is shell profile 2 (priv-level 5)
under AAA client you need to add
aaa authorization commands 5 default group tacacs+
also you need to setup privlege 5 itself to be authorized for certain commands
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html#wp1027195
for accounting ,
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_a1g.html#wp1081064
HTH
09-09-2012 07:14 PM
+5 Hussam
Sent from Cisco Technical Support iPad App
10-20-2012 12:32 AM
Sorry for delayed reply solution worked perfectly.
Thanks...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide