I am setting up cisco ACS Server for 100s of network devices.
GROUPS DEFINED ============== Group 0 : Superuser(member usersname is a and n) Group 1 : admincentral(member usersname is d) Group 2 : adminsouth(member username is south) Group 3 : adminnorth(member username is north Group 4 : support(member username is support) Group 5 : viewer(member username is viewer) Group 6 : planning(member username is planning) Group 7 : planningconfig(member username is ?)
Network device groups NDGs Defined ================================== north centralnoncoreswitch centralnoncorerouter centralwireless centralcore south centraledge
AAA CONFIG IN CLIENT =================== aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication login CONSOLE none aaa authentication enable default enable aaa authorization exec default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ tacacs-server host a.b.c.d tacacs-server directed-request tacacs-server key xyz
ACHIVEMENT SO FAR ================= Whenver I login to the device, it directly takes me into the privilige level e.g. level 15 for superuser for example instead of asking for enable password.
PROBLEM ======= How can I use effectively the "ENABLE OPTIONS", it has three options1)No enable privileges 2) Max privilege level for any AAA client 3) Define MAX Privilege on a per NDG basis
But pitty is I am not able to use it effectively, can you help me ???
currently what I do is , I goto "TACACS+ SETTINGS" section and then CHECK the Shell(exec) and Privilege leve check box with number lets say 15 or 10 or 4.
believe me nothing works unless I check the PRIVILIGE LEVEL CHECK BOX and fill the number, whatever level I set there, it becomes applicable for all the users for all the devices and that is very strange can you help me ?2ndly I can I do for a particular group that the members of the group can have view privileges for certain devices or NDGs while at the same time have FULL ACCESS to few particular devices, is it possible, how ?
I would be really obliged on your help
thanks and regards cheema