different authoriztion levels based on device ip/location

mirehteshamali · ‎02-17-2013

Hi all

what i need is simple

when a user admin-HQ logs AAA sever should send a level 15 to him (shell:priv-lvl=15) , however when he logs to a router in branch AAA server should send level 7 to him.

ie for same attribute and user two different authrorization levels based on location.

this is needed as Admin from one branch what read- write access to his devices and restricted access to another branch routers.

thanks

Amjad Abdullah · ‎02-18-2013

Hello,

What versoin of ACS you are using?

If you use version 5.x you can simply do that by creating two different shell profiles and configure the policy to assign one profile for people connecting from location X and assign the other profile for people connecting from location Y.

Now, if you have 4.x version that can not be done.

What you can do however and works based on your requirements is to handle the authorization not from the priv level but form a shell profile. You can assign a different shell profiles to different device groups in both ACS 4.x and 5.x versions.

So, if you create a shell profile for the access needed in site X and another profile for access needed in site Y, you can assign whatever shell profile to whatever location (this requires both devices to be in DIFFERENT device groups if you use ACS version 4.x because shell profile assignment can only be done per device group).

Is the above clear enough?

if not please let mek now what you understood and I will explain further.

For info about shell profile in version 4.x (called shared profile authorization set) check this link: