cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1569
Views
1
Helpful
4
Replies

User Access Elevation for a Set of Devices

suvarghe
Cisco Employee
Cisco Employee

Hi Experts,

Customer is planning to automate access elevation, so he wants to know if ACS supports elevating access to a user for a set of network devices (say 2 or 3 devices ). Currently when they elevate access based on AD, it elevates to all the network devices.

Customer is using TACACS for Cisco devices. ACS server is integrated with AD and by default all the network administrators are in read only access.

When they raise a network change, they request for read write access. By adding the change number in access elevation portal (which is used to elevate access from RO to RW) and they will do the changes on devices.

When they are elevating access, we need to restrict for specific devices which are added in the change.

We have found one method which involves creation of a specific AD group that relates to the set of device. However this method is tedious and not practical as customer has to keep creating similar groups every time a change is raised.

Would you know if there is any other way to accomplish this.




Regards,

Sujit

1 Accepted Solution

Accepted Solutions

vrostowsky
Level 5
Level 5

Sujit

There are multiple ways it can be done.  if there is a consistent "set of devices", you could create a new NDG just for those devices.  This way you could create another authorization policy for this NDG.  create a custom shell profile that will allow the elevated privilege which maps the NDG to the external identity group (AD) in that authorization policy.

HTH-

Vince

View solution in original post

4 Replies 4

vrostowsky
Level 5
Level 5

Sujit

There are multiple ways it can be done.  if there is a consistent "set of devices", you could create a new NDG just for those devices.  This way you could create another authorization policy for this NDG.  create a custom shell profile that will allow the elevated privilege which maps the NDG to the external identity group (AD) in that authorization policy.

HTH-

Vince

Thanks Vince.

Yes, this method is practical if the set of devices are consistent.

However the set of devices are not consistent in our scenario. I assume this process would be tedious considering the set of devices changes every time.

Do you know if this task can be done via scripts?

Regards,

Sujit

Use access elevation is controlled by the device.

ACS just provides the level of access in the shell profiles.

This is sent as attributes from ACS using shell profiles in case of TACACS+.

In case of RADIUS you need to configure the attribute in the authorization profile and send it to the Network device. You can also send attributes from AD dynamically to the network device.

You can use API to configure some of these using ACS REST API and script it

Software Developer's Guide for Cisco Secure Access Control System 5.8 - Using the Scripting Interface [Cisco Secure Acce…

Thanks

Krishnan

vrostowsky
Level 5
Level 5

Maybe you can look at using parser views or custom privilege levels on the devices.  As for scripting, I used to use perl scripts to perform configuration changes on large numbers of ASA firewalls, but if the device is a switch or router, these script techniques do not work.  Maybe someone else can chime in with some other options for you-

-Vince

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: