cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
888
Views
0
Helpful
2
Replies

Cisco ACS 5.2 RSA users not getting Level 15 privelege

sdmumbai rrc
Level 1
Level 1

Hi,

I have cisco ACS 5.2 and external identity source as RSA secure ID.

Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.

Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.

I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ? 

I checked this for local ACS users it is working and loca users getting directly privelege mode access...

Please help how we can do this ?

Regards,

Sagar

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

Are you using the same service selection rule but changing the identity source on acs 5.2? If you are using a different service selection rule, then you will need to make sure the same shell profile is assigned in the authorization policy. I find that resetting the hit counter also helps track which policies along with analyzing the monitoring and reports. If you can please post the two reports one for the internal and one for the rsa user. You can PM me and I will be more than happy to provide a secure site to upload the pdf reports form the monitoring and reporting page for each session.

thanks,

Tarik

Hi tarik,

Same shell profile applied.

Please find the solution i applied and after this its working:

Checked the Authorization Fail log (attached) and could not see the RSA Device Group configured under the Authorization Policy.

This is the Group information that should be sent from the RSA server. As you did not have information on what was being sent by the RSA server, we manually configured Group Mapping.

i.e.

Under  Access Policies > ... > Access Services > Default Device Admin > Edit: "Default Device Admin" – General, we enabled “Group Mapping”

From the new Group Mapping page, we used single Rule and selected the matching Group.

We tested and were now able to enter the required commands on the switch.

We also tested another group and our config had not affected them.

We discussed that to be able to configure specific rules for Group Mapping, you would need to know what the RSA is sending and then configure the conditions to match your required security policy.