10-14-2010 02:13 AM
Hi,
Is it possible to assign some device roles on some user when using integrated authentication (non-acs).
I explain, we want to allow some users (or group of users) to be able to deploy netconfig jobs only on some devices (or device groups).
So we first try to assign netconfig job to users, but it is only possible to do this for one user at the same time (which can be long when we have many users) and we cannot limit the netconfig job to some device groups.
Is there a way to do this with this mechanism or is this another way to do it ?
Many thanks,
Fabien GIRAUD
10-14-2010 10:41 PM
Not without ACS in LMS 3.2 but in LMS 4.0 you can use the Network Device Group option.
You can choose to assign any number of role and device group combinations for a selected user or user group to operate on Network Device Groups.
You should note the following to assign roles on a NDG basis:
• If you have assigned a Network Device Group to your AAA client (CiscoWorks Server and network devices), you must assign that device group to a role.
You cannot have role and device group combinations assigned to a user without assigning the Network Device Group to your AAA client.
• You can assign only one role to a user, to operate on an NDG.
• If a user requires privileges other than those associated with the current role, to operate on an NDG, a custom role should be created. All necessary privileges to enable the user to operate on the NDG should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1, you can create a new custom role with Network Operator and Approver privileges, and assign the role to the user to operate on NDG1.
• You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.
To assign the proper role, the network access server (NAS) should be added to device groups other than DEFAULT.
10-15-2010 12:16 AM
Hi,
That's what I was afraid of. We don't have any AAA authentication.
So as you say in your answer, it will not be possible.
Thanks for your reply,
Fabien GIRAUD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide