06-07-2010 02:29 PM - edited 03-06-2019 11:27 AM
I have a Cisco 2811 router with a HWIC-16A adapter. I would like to implement it for access to several firewalls and core switches / routers. However, I would like to have provide seperation of access to the firewalls and core routers and switches. IE - user group 1 can only access firewalls, user group 2 only core devices, and user group 3 all connected devices.
Is it possible to do this through the use of tacacs+? If not, is it possible to do this using accounts directly on the 2811?
I have been thoroughly searching the forums and looking at the configuration options to find a solution, but have come up dry. I have a feeling that this is just something beyond capability, but it would be great to divide up user groups for access to various items through the "menu list" when connecting.
Thank you in advance for any guidance or assistance!
06-08-2010 03:40 AM
You can do this with the Cisco ACS server software - do you have this?
06-08-2010 07:13 AM
Yes, using Cisco ACS server. I'm stuck trying to find what links the different menu items to the users ability to make a menu selection / execute the command specification of that menu item (telnet to xxx.xxx.xxx.xxx device).
IE - how can I let group "admin" access all devices, while having a group "firewall" able to access all of firewall resources, while allowing both types of users to login to this particular router, but still preventing firewall from logging into any other router?
A brief example of the configuration options necessary to restrict this would be great. Is my confusion clear / is what I'm asking clear?
Thank you for your assistance thus far!
06-08-2010 07:24 AM
Have a look here - http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
See if thos helps out.
06-08-2010 08:24 AM
Thank you, I will look through these to see if I find something that details my confusion.
06-08-2010 07:32 AM
Hi
You can achive the same with ACS Server, Follow The below Steps.
1] In Network Configuration Tab Create Different Group for Router , Switches & Firewall.
2] Create Different User Group & Assign what need to be access (i.e. Network Configuration Group - Router Group , Swich Group & Firewall Group)
3] Create User and assign the User group that he want to access .
For Example : In Network Configuration Group : Create : Router , Switch , Firewall
In User Group : Create two Group : Group 1 & Group 2
Group 1 is associated with Router, Firewall , Switch Group.
Group 2 is associated with only Router & Switches.
Create Two User : User 1 & User 2
User 1 is associated with Group 1
User 2 is associated with Group 2
So User 1 can access all Router, Firewall , Switch & User 2 can access only Router & Switches
Regards
Chetan kumar
06-08-2010 08:24 AM
So esentially, what you're implying is that:
The 2811 that provides the terminal access through the HWIC-16A connections does not have any permissions management on board. However, I could use the ACS grouping and permissions system to require users to reauthenticate with the Cisco ACS server when they make a menu selection that ultimately redirects them to telnet to a device. They will then check permissions with the server when logging into that device, just as if they telnet to it from anywhere else?
I could then allow access to the 2811 but restrict what other commands they are able to execute in privileged mode?
I understand how Cisco ACS works - but I'm still not positive that I'm understanding how you imply I should associate it with my setup.
Remember - after connecting to the 2811, they make a selection to a menu item to connect via console to that device.
Thank you for the replies so far!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide