cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
558
Views
0
Helpful
6
Replies
Beginner

ACS 5.2 Identity Base Authentication

Hi,

I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.

1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command

2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"

3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets

All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.

Appreciate if someone can advise me what is I'm missing here.

thanks

6 REPLIES 6
Cisco Employee

ACS 5.2 Identity Base Authentication

Hi,

The configuration seems fine. What do the logs in the reoprts show? which authorization profile is it falling ?

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Rising star

ACS 5.2 Identity Base Authentication

It looks to me that rules 3 and 6 are have the same conditions and so rule 6 will never be hit (hard to be sure 100% in case the screen shot is truncated)

In general can debug such issues as follows:

- using hit counts. reset the hit counts before starting the test and refreshing after the test completes

- looking at the authentication details. for each pass/fail record can click on the details icon and see the full details for the request. This includes all the attributes used when processing the request and the name of the rule that was hit in each policy

Beginner

ACS 5.2 Identity Base Authentication

Hi Anisha/jrabinow.

Actually its hitting correct authorization profile, but still I'm seeing first it goes to different access service (xxxx Sec Admin), Attached is the detailed log I got from the ACS...

Meanwhile appreciate if you can send me any configuration document for this senario?

Regards,

Highlighted
Cisco Employee

ACS 5.2 Identity Base Authentication

Hi,

how did you figure out that it is hitting the other access service?

Regards,

Anisha

Beginner

ACS 5.2 Identity Base Authentication

Thanks Anisha for your response..

If you look at the Access Service policy its not the one I wanted. I already created one Access Policy call "RestrictedAcees" and I cant see that is hitting..

Do you have any configuraiton document for this senario or any working settings..?

Rising star

ACS 5.2 Identity Base Authentication

As I mentioned if you look in Service Selection rules; rule number 3 (name=Rule-2) and rule number 6 (name:RestricAccess) have precisely the same conditions. The policy is first match and so rule 6 will never matched. If you want rule 6 to take effect instead of 3 either disable or delete rule number 3 (name:Rule-2)