cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

971
Views
1
Helpful
4
Replies
Highlighted
Cisco Employee

User Access Elevation for a Set of Devices

Hi Experts,

Customer is planning to automate access elevation, so he wants to know if ACS supports elevating access to a user for a set of network devices (say 2 or 3 devices ). Currently when they elevate access based on AD, it elevates to all the network devices.

Customer is using TACACS for Cisco devices. ACS server is integrated with AD and by default all the network administrators are in read only access.

When they raise a network change, they request for read write access. By adding the change number in access elevation portal (which is used to elevate access from RO to RW) and they will do the changes on devices.

When they are elevating access, we need to restrict for specific devices which are added in the change.

We have found one method which involves creation of a specific AD group that relates to the set of device. However this method is tedious and not practical as customer has to keep creating similar groups every time a change is raised.

Would you know if there is any other way to accomplish this.




Regards,

Sujit

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Sujit

There are multiple ways it can be done.  if there is a consistent "set of devices", you could create a new NDG just for those devices.  This way you could create another authorization policy for this NDG.  create a custom shell profile that will allow the elevated privilege which maps the NDG to the external identity group (AD) in that authorization policy.

HTH-

Vince

View solution in original post

4 REPLIES 4
Highlighted
Contributor

Sujit

There are multiple ways it can be done.  if there is a consistent "set of devices", you could create a new NDG just for those devices.  This way you could create another authorization policy for this NDG.  create a custom shell profile that will allow the elevated privilege which maps the NDG to the external identity group (AD) in that authorization policy.

HTH-

Vince

View solution in original post

Highlighted

Thanks Vince.

Yes, this method is practical if the set of devices are consistent.

However the set of devices are not consistent in our scenario. I assume this process would be tedious considering the set of devices changes every time.

Do you know if this task can be done via scripts?

Regards,

Sujit

Highlighted

Use access elevation is controlled by the device.

ACS just provides the level of access in the shell profiles.

This is sent as attributes from ACS using shell profiles in case of TACACS+.

In case of RADIUS you need to configure the attribute in the authorization profile and send it to the Network device. You can also send attributes from AD dynamically to the network device.

You can use API to configure some of these using ACS REST API and script it

Software Developer's Guide for Cisco Secure Access Control System 5.8 - Using the Scripting Interface [Cisco Secure Acce…

Thanks

Krishnan

Highlighted
Contributor

Maybe you can look at using parser views or custom privilege levels on the devices.  As for scripting, I used to use perl scripts to perform configuration changes on large numbers of ASA firewalls, but if the device is a switch or router, these script techniques do not work.  Maybe someone else can chime in with some other options for you-

-Vince