1. Home
  2. Networking Firewalls
  3. AAA Privileges

AAA Privileges

Hi

I am setting up cisco ACS Server for 100s of network devices.

GROUPS DEFINED ============== Group 0 : Superuser(member usersname is a and n) Group 1 : admincentral(member usersname is d) Group 2 : adminsouth(member username is south) Group 3 : adminnorth(member username is north Group 4 : support(member username is support) Group 5 : viewer(member username is viewer) Group 6 : planning(member username is planning) Group 7 : planningconfig(member username is ?)

Network device groups NDGs Defined ================================== north centralnoncoreswitch centralnoncorerouter centralwireless centralcore south centraledge

AAA CONFIG IN CLIENT =================== aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication login CONSOLE none aaa authentication enable default enable aaa authorization exec default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ tacacs-server host a.b.c.d tacacs-server directed-request tacacs-server key xyz

ACHIVEMENT SO FAR ================= Whenver I login to the device, it directly takes me into the privilige level e.g. level 15 for superuser for example instead of asking for enable password.

PROBLEM ======= How can I use effectively the "ENABLE OPTIONS", it has three options

1)No enable privileges 2) Max privilege level for any AAA client 3) Define MAX Privilege on a per NDG basis

But pitty is I am not able to use it effectively, can you help me ???

currently what I do is , I goto "TACACS+ SETTINGS" section and then CHECK the Shell(exec) and Privilege leve check box with number lets say 15 or 10 or 4.

believe me nothing works unless I check the PRIVILIGE LEVEL CHECK BOX and fill the number, whatever level I set there, it becomes applicable for all the users for all the devices and that is very strange can you help me ?

2ndly I can I do for a particular group that the members of the group can have view privileges for certain devices or NDGs while at the same time have FULL ACCESS to few particular devices, is it possible, how ?

I would be really obliged on your help

thanks and regards cheema

Reply to
Cheema
Loading thread data ...

================================================================

Hi

Our activity has been completed. Specific users have been assigned certain groups which are being assigned to an NDG which is further assigned to SHELL COMMAND AUTH sets. Result is that we are able to manage many ADMINS with varying levels of privileges.

Following is the command set used in the AAA client.

aaa authentication login default group tacacs+ line enable aaa authentication login CONSOLE none aaa authentication enable default group tacacs+ enable line aaa authorization config-commands aaa authorization exec default if-authenticated aaa authorization commands 14 default group tacacs+ if-authenticated none aaa authorization commands 15 default group tacacs+ if-authenticated none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+

Kindly point out if you see any issues with this configuration

Thanks and Best Regards Cheema ==============================================================================

Reply to
Cheema

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.