Good Day,
I created a policy using the following configuration settings: -
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
I then reference the shell profile in the following menu: -
Access Policies > Access Services > Default Device Admin > Authorization
From here if you select Rule 1 for editing you can change the Identity Group (The ID group is the same as that configured under the user you added). Also within Rule 1 you can specify the "shell Profile" that you want to use.
Also do not forget to add the configuration you need on your network device, I have the following configuration: -
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
It should be worth noting that under the common task tab within the shell profile, I can successfully login as the user that I have added with the default privilege being set to "not in use" (if this is set to 15 - when the user logs in they will be taken directly into exec privilege mode without having to enter the "enable" command) and the maximum privilege set to 15. If maximum privilege is set to anything less than 15, I cannot get in to exec privilege mode (enable mode).
Further to this you can also add command sets rules, for example, I have blocked the user from being able to enter the "show clock" command. This can be done by adding the rules you want to permit/deny in Policy Elements -> Authorization and Permissions -> Device Administration -> Command Sets and again like the shell referencing the command set you have created in Access Policies > Access Services > Default Device Admin > Authorization, with this you would also need to add the following commands on your network device: -
aaa authorization commands 1 default group tacacs+ if-authenticated none
This all seems to work for me, but I still have a way to go with the testing and trying to understand exactly what it is that I am doing.
I am using ACS 5.1. Hope this helps.
Thank you.
