Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2644
Views
5
Helpful
9
Replies

Default Device Admin (Tacacs+)

Go to solution
thanmad
Level 1
Level 1

‎06-20-2011 12:37 PM - edited ‎03-10-2019 06:10 PM

ACS 5.1

Default Device Admin

Identity:

Single Result (internal list and AD1)

Group Mapping:

Rule1:(anyone in AD/Administrators=Group/AdminGroup)

Default: Standard user

Authorization:

Rule1: (anyone in Group/AdminGroup, permit all commands)

Default: Deny All Commands

Here's my situation:

User1 (AD/Administrator)

UserBob (NOT in AD/Administrator)

User1 Logs into a switch, types "enable" is asked to authenticate again, and can then run all commands (this is what i'm looking for, though i dislike the second login)

UserBob Logs into a switch, types "enable" is asked to authenticate again, but gets error "% Error in Authentication" (i do not want UserBob to even be able to log into the switch to begin with)

So my question is:

How do i keep UserBob from being able to log into the switch?

How do I get User1 to enter level 15 (Switch# instead of Switch>) automatically without being prompted to enter their password a second time after typing "enable"?

As i understand it, "Default Device Admin" is different than "Default Network Access" which i liken to "logging into switches" vs. "authenticating against VPN server or Wireless" respectively.  So i should be able to restrict users from logging into switches, but still allow them to authenticate for access to things like VPN, so i don't think what i'm asking above will keep me from being able to do that.

Ideas?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎06-21-2011 10:41 PM

There is no NAR in ACS 5. Forget about that.

Well, you are authenticating the user but not authorizing him to any commands for the moment.

You said your default authorization rule returns "denyallcommands". That is good but it should also return the shell profile "deny access". Did you verify that ?

View solution in original post

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to thanmad

‎06-27-2011 09:32 AM

For the particular problem of logging twice, it is actually the command "aaa authorization exec" which allows users to land directly in enable mode or not.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Devashree Chakrabarti
Level 1
Level 1

‎06-20-2011 11:46 PM

Hello

Q1 : How do i keep UserBob from being able to log into the switch?

     Configure NAR [network access restriction] and restrict the user to "not-to" access switch.

Q2 : How do I get User1 to enter level 15 (Switch# instead of Switch>)  automatically without being prompted to enter their password a second  time after typing "enable"?

     You need to configure exec authorization on switch and push "privlege level = 15" to make User1 fall on switch# mode.

The command on switch will be :

     aaa authorization exec default group tacacs local

Let me know if it helps.

thanks

Devashree

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to Devashree Chakrabarti

‎06-21-2011 01:45 PM

You've lost me, on both fronts:

Q1:  i knew where NAR was in 4.x, but there's nothing called NAR in 5.1.  I see Policy Elements>Session Conditions>NetworkConditions>End Station Filters, but no way to tie that to users...

Q2:  I have this command in my switch, i see no way to specify level 15 in ACS.

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎06-21-2011 10:41 PM

There is no NAR in ACS 5. Forget about that.

Well, you are authenticating the user but not authorizing him to any commands for the moment.

You said your default authorization rule returns "denyallcommands". That is good but it should also return the shell profile "deny access". Did you verify that ?

Go to solution
thanmad
Level 1
Level 1
In response to Nicolas Darchis

‎06-24-2011 08:21 AM

Thanks Master Vader

You were correct, my default authorization rule had permit access in it.  Once i changed it to Deny Access it worked flawlessly.

Any ideas how i set groups to get level 15 access by default?

Jon

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to thanmad

‎06-26-2011 10:57 PM

Instead of returning "permit access", return a shell profile that you will have created. That's where you can define the privilege level and other common shell properties.

Nicolas

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to Nicolas Darchis

‎06-27-2011 09:29 AM

Thanks, I have two entries in my shell profile for privelige level:  Default Privilege and Maximum Privilege.  Maximum Privelige was already set to 15.  Setting both to 15 does not fix the issue.  Setting only Default Privilege to 15 results in me not being able to access enable on the switch (error in authentication).

Ideas?

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to thanmad

‎06-27-2011 09:32 AM

For the particular problem of logging twice, it is actually the command "aaa authorization exec" which allows users to land directly in enable mode or not.

0 Helpful

Go to solution
thanmad
Level 1
Level 1
In response to Nicolas Darchis

‎06-27-2011 11:55 AM

Ahh, found the problem.  This apparently only works on VTY connections, i've been doing my testing with the console connection.

once i tried this on my VTY session it works flawlessly.

thanks again for sharing your dark side of the force

0 Helpful

Go to solution
Vinay Sharma
Level 7
Level 7
In response to Nicolas Darchis

‎06-27-2011 02:59 AM

Thanks Nico ......5+

Vinay Sharma

Community Manager - Wireless

Cisco Support Community

Thanks & Regards
0 Helpful
Customers Also Viewed These Support Documents