Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
0
Helpful
3
Replies

Secure ACS Authentication and Authorization with SecurID

Go to solution
jsblendorio
Level 1
Level 1

‎08-15-2015 07:25 AM - edited ‎03-10-2019 10:58 PM

I am able to authenticate login attempts using an external database(RSA SecurID).  The problem is that everyone with a token is allowed to login to any switch with priv15(or whatever I set but no way to control who gets what access).  How can I authorize users based on some type of group membership?  The SecurID server is already integrated with LDAP, all it does is checks to see if the user exists in the database.

I need to create two groups, or even just only allow one group and deny everyone else but anyone in the organization with a token has permission to login.  I can't find any guides that do anything beyond authentication when using a SecurID token.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎08-18-2015 11:47 PM

Hello,

On routers and switches, have you given the command "aaa authorization exec default group TACACS", it seems that you have only defined authentication on the devices. Once this command is in place, user access privileges can be governed by ACS. In the Default Network Admin access policy (if you are using default policy for TACACS), define the authorization rule to check user group membership and provide the appropriate shell profile. Make the default rule to give DenyAccess shell profile to other users.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎08-18-2015 11:47 PM

Hello,

On routers and switches, have you given the command "aaa authorization exec default group TACACS", it seems that you have only defined authentication on the devices. Once this command is in place, user access privileges can be governed by ACS. In the Default Network Admin access policy (if you are using default policy for TACACS), define the authorization rule to check user group membership and provide the appropriate shell profile. Make the default rule to give DenyAccess shell profile to other users.

0 Helpful

Go to solution
jsblendorio
Level 1
Level 1
In response to poongarg

‎08-19-2015 08:57 AM

You are correct ACS can authorize against it's local database but I was not able to authorize against group membership in active directory.  My current solution works but isn't very scalable.  Maybe I'm missing something?

0 Helpful

Go to solution
jsblendorio
Level 1
Level 1
In response to jsblendorio

‎08-21-2015 08:31 AM

I solved my issue by creating an identity store sequence for RSA and AD for additional attribute retrieval.

0 Helpful
Customers Also Viewed These Support Documents