I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
Appreciate if someone can advise me what is I'm missing here.
The configuration seems fine. What do the logs in the reoprts show? which authorization profile is it falling ?
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
It looks to me that rules 3 and 6 are have the same conditions and so rule 6 will never be hit (hard to be sure 100% in case the screen shot is truncated)
In general can debug such issues as follows:
- using hit counts. reset the hit counts before starting the test and refreshing after the test completes
- looking at the authentication details. for each pass/fail record can click on the details icon and see the full details for the request. This includes all the attributes used when processing the request and the name of the rule that was hit in each policy
Actually its hitting correct authorization profile, but still I'm seeing first it goes to different access service (xxxx Sec Admin), Attached is the detailed log I got from the ACS...
Meanwhile appreciate if you can send me any configuration document for this senario?
Thanks Anisha for your response..
If you look at the Access Service policy its not the one I wanted. I already created one Access Policy call "RestrictedAcees" and I cant see that is hitting..
Do you have any configuraiton document for this senario or any working settings..?
As I mentioned if you look in Service Selection rules; rule number 3 (name=Rule-2) and rule number 6 (name:RestricAccess) have precisely the same conditions. The policy is first match and so rule 6 will never matched. If you want rule 6 to take effect instead of 3 either disable or delete rule number 3 (name:Rule-2)