Privilege level with ACS

jain.nitin · ‎01-17-2011

Hi All,

I have multiple level of network users and they have different different access to network devices. Like for L1 netork engineer they can login to access switches and can change only vlans on ports and see output of some show commands.

same way we have L2 users they have some higher level of access to devices and another set of users with full access to network devices.

Can any one let me know how can I do this with ACS. do I need to define privilege level comand on devices ??? or ACS will fulfil my requirement without defining commands on switches or routers.

any kind of help will be appreciated.

Thanks

Nitin Jain

Panos Kampanakis · ‎01-17-2011

You need to have the 3 groups of users belong in different priv levels.

Then you can do command authorization for the users and using the privilege command move the commands that each group can use to the aqppropriate level. That way users in group 1 will be able to use command of lvl 1 etc.

I hope it helps.

PK

sunil.aroraa · ‎01-19-2011

Hi Nitin,

You can do this by command authorization feature in Cisco ACS. Define privilege level 15 to every user in ACS and restrict with command authorization.

Login ito ACS> Shared profile components>Shell command authorization sets> Add> Add new command set and define the commands which you want to allow in Unmatched Commands option e.g Read-only set with show commands.

Then go to group setting > select L1/L2 group > Select appropiate command set in Shell Command Authorization Set under heading Tacacs+ Setting >click Submit+Restart.

Configuration on Router/Switch for command authorization:

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ ifauthenticated none

Thank You,

Sunil Arora

Note: Please rate helpful posts.