cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1059
Views
0
Helpful
1
Replies
Beginner

ACS 5.3: Manage/create groups

Hi,

As a Network Eng, I want the NetAdmins to use ACS for auth on their devices such as Fabric Intrcnncts, MDS switches and so on. How can I make sure once TACACS+ is configured on those devices, NetAdmins can only access those specific devices and nothing else (i.e. switches, routers, etc.)

I am new to ACS, any other tips/suggestions are appreciated.

Thanks in advance.

1 REPLY 1
Highlighted
Beginner

Re: ACS 5.3: Manage/create groups

1.  Put all the devices that the NetAdmins are permitted to modify in one Device Group

2.  Put all the NetAdmin user accounts in one Identity Group

3.  Create a rule that lets NetAdmins logging into their Device Group access the device:

     Go to:  Access Policies > Access Services > Default Device Admin > Authorization

          Click the Customize button at the bottom of the screen.

          In the popup window, under Customize Conditions, move Identity Group and NDG:Device Type to the Selected: box on the right

          Click OK

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

               Check the box next to NDG:Device Type:

                    Use the Select button to choose the Device Group your NetAdmin devices belong to

          Under Results:

               Use the Select button to choose a Shell Profile; probably use Permit Access

               Under Command Sets:  Use the Select button to choose a Command Set

                    (Build at Policy Elements > Authorizations and Permissions > Device Administration > Command Sets)

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it to the top of your list of rules.

4.  Create a rule that denies access to NetAdmins trying to log into any other device:

     Click the Create button

          Under Conditions:

               Check the box next to Identity Group:

                    Use the Select button to choose your NetAdmin Identity Group

          Under Results:

               Use the Select button to choose a Shell Profile; probably use DenyAccess

               Under Command Sets:  Use the Select button to choose a Command Set; probably use DenyAllCommands

          Click the OK button.

     Check the box next to this new rule, and use the ^ button to move it directly below the rule created in step 3.

I hope this helps, and in the future try posting ACS-type questions to the AAA, Identity and NAC forum instead of the Security Management forum. 

--Chris

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.