Solved: How to Restrict tacacs user from logging-in to another device ba

Erwin Buena · ‎03-05-2013

Does anyboby knows how to restrict a tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations. For Example Network Engineers base on Asia is restricted to access all the devices that are in the US but US Engineers needs to have access to all the devices that are installed in different locations. I'm using Cisco Secure ACS 5.3 and I'm not able to acheive it. The test account that I've created that's belong to certain group (i.e. ASIA) can login to a set of device that are located in the US with read-access but don't have write access because of the restriction that I've created. What I wanted is for this test user to block its access to those device located in the US.

maldehne · ‎03-06-2013

well, lets asume that you have created two locations US and Asia

you have defined two AAA clients US1 and Asia1

also you have two identity groups USgroup and Asiagroup

1)If a user is trying to access Asia device from USgroup should be rejected

2)If a user is trying to access US device from Asiagroup should be rejected as well

else access is granted

so you should customize the authorization policy under device admin access service

to include identity group and NDG:location as conditions where in the result you can put

what ever shell profile or command set you want.

Rule 1 : Usgroup NDG:location is US grnat access with shell profiles and command set needed

Rule 2 : Asiagroup NDG:location us Asia grant acccess with shell profiles and command set needed

default : deny access

----------------------------------------------------------------------

Please make sure to rate correct answers

View solution in original post

maldehne · ‎03-06-2013