Using ACS for change control

jonseung92804 · ‎02-01-2006

I'd like to set up ACS server (integrated with Windows Active Directory) for router and switch so that all network administrator could use their active directory account to access network devices… and all activities will be logged on to ACS server. Currently we are sharing local administrative(on router and switch) account and I don’t have the visibility of who is doing what. The idea is to have more tight change control.

I'd like to have security group set up in Active Directory and have all the network admins within, and have them to use their network account to log into routers and switches. Is this possible?

darpotter · ‎02-03-2006

Hi

Yes this is easily achieved. Just as per normal users, admins being authenticated via TACACS+ can be in an external database, ie Windows.

You would need to set the TACACS+ authentication to MSCHAP ideally (rather than ascii or pap)

If you are using enable, in the ACS user record efit page you can also link the enable password to the users external db password too.

Darran

jonseung92804 · ‎02-06-2006

Thank you, in that case I have some more questions(if you don't mind) to ask about your instruction.

1. I only have RADIUS server(ACS 3.3). Do I need to purchase additional TACACS+ to accomplish this? or you just want me to add additional TACACS+/RADIUS attributes enabled per user?

2. Is it possible to map 'Security Group' object instead of individual user?

3. Please send me a sample CLI configuration for router(or switch).

Thank you very much for your help.