Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
1
Replies

ACS 5.3: Manage/create groups

sudip.acharya1
Level 1
Level 1

‎05-07-2012 10:16 PM - edited ‎02-21-2020 04:38 AM

Hi,

As a Network Eng, I want the NetAdmins to use ACS for auth on their devices such as Fabric Intrcnncts, MDS switches and so on. How can I make sure once TACACS+ is configured on those devices, NetAdmins can only access those specific devices and nothing else (i.e. switches, routers, etc.)

I am new to ACS, any other tips/suggestions are appreciated.

Thanks in advance.

0 Helpful
1 Reply 1

spindoctor64
Level 1
Level 1

‎05-24-2012 10:15 AM

1.  Put all the devices that the NetAdmins are permitted to modify in one Device Group

2.  Put all the NetAdmin user accounts in one Identity Group

3.  Create a rule that lets NetAdmins logging into their Device Group access the device:

     Go to:  Access Policies > Access Services > Default Device Admin > Authorization

          Click the Customize button at the bottom of the screen.

          In the popup window, under Customize Conditions, move Identity Group and NDG:Device Type to the Selected: box on the right

          Click OK

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

               Check the box next to NDG:Device Type:

                    Use the Select button to choose the Device Group your NetAdmin devices belong to

          Under Results:

               Use the Select button to choose a Shell Profile; probably use Permit Access

               Under Command Sets:  Use the Select button to choose a Command Set

                    (Build at Policy Elements > Authorizations and Permissions > Device Administration > Command Sets)

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it to the top of your list of rules.

4.  Create a rule that denies access to NetAdmins trying to log into any other device:

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

          Under Results:

               Use the Select button to choose a Shell Profile; probably use DenyAccess

               Under Command Sets:  Use the Select button to choose a Command Set; probably use DenyAllCommands

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it directly below the rule created in step 3.

I hope this helps, and in the future try posting ACS-type questions to the AAA, Identity and NAC forum instead of the Security Management forum. 

--Chris

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card