AAA Privileges

Discussion in 'Cisco' started by Cheema, Jun 19, 2007.

  1. Cheema

    Cheema Guest

    Hi

    I am setting up cisco ACS Server for 100s of network devices.

    GROUPS DEFINED
    ==============
    Group 0 : Superuser(member usersname is a and n)
    Group 1 : admincentral(member usersname is d)
    Group 2 : adminsouth(member username is south)
    Group 3 : adminnorth(member username is north
    Group 4 : support(member username is support)
    Group 5 : viewer(member username is viewer)
    Group 6 : planning(member username is planning)
    Group 7 : planningconfig(member username is ?)

    Network device groups NDGs Defined
    ==================================
    north
    centralnoncoreswitch
    centralnoncorerouter
    centralwireless
    centralcore
    south
    centraledge


    AAA CONFIG IN CLIENT
    ===================
    aaa new-model
    aaa authentication login default group tacacs+ local enable
    aaa authentication login CONSOLE none
    aaa authentication enable default enable
    aaa authorization exec default group tacacs+
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    tacacs-server host a.b.c.d
    tacacs-server directed-request
    tacacs-server key xyz

    ACHIVEMENT SO FAR
    =================
    Whenver I login to the device, it directly takes me into the privilige
    level e.g. level 15 for superuser for example instead of asking for
    enable password.

    PROBLEM
    =======
    How can I use effectively the "ENABLE OPTIONS", it has three options
    1)No enable privileges 2) Max privilege level for any AAA client 3)
    Define MAX Privilege on a per NDG basis

    But pitty is I am not able to use it effectively, can you help me ???

    currently what I do is , I goto "TACACS+ SETTINGS" section and then
    CHECK the Shell(exec) and Privilege leve check box with number lets
    say 15 or 10 or 4.

    believe me nothing works unless I check the PRIVILEGE LEVEL CHECK BOX
    and fill the number, whatever level I set there, it becomes applicable
    for all the users for all the devices and that is very strange can you
    help me ?

    2ndly I can I do for a particular group that the members of the group
    can have view privileges for certain devices or NDGs while at the same
    time have FULL ACCESS to few particular devices, is it possible, how ?

    I would be really obliged on your help

    thanks and regards
    cheema
    Cheema, Jun 19, 2007
    #1
    1. Advertising

  2. Cheema

    Cheema Guest

    On Jun 19, 10:56 pm, Cheema <> wrote:
    > Hi
    >
    > I am setting up cisco ACS Server for 100s of network devices.
    >
    > GROUPS DEFINED
    > ==============
    > Group 0 : Superuser(member usersname is a and n)
    > Group 1 : admincentral(member usersname is d)
    > Group 2 : adminsouth(member username is south)
    > Group 3 : adminnorth(member username is north
    > Group 4 : support(member username is support)
    > Group 5 : viewer(member username is viewer)
    > Group 6 : planning(member username is planning)
    > Group 7 : planningconfig(member username is ?)
    >
    > Network device groups NDGs Defined
    > ==================================
    > north
    > centralnoncoreswitch
    > centralnoncorerouter
    > centralwireless
    > centralcore
    > south
    > centraledge
    >
    > AAA CONFIG IN CLIENT
    > ===================
    > aaa new-model
    > aaa authentication login default group tacacs+ local enable
    > aaa authentication login CONSOLE none
    > aaa authentication enable default enable
    > aaa authorization exec default group tacacs+
    > aaa accounting exec default start-stop group tacacs+
    > aaa accounting commands 15 default stop-only group tacacs+
    > tacacs-server host a.b.c.d
    > tacacs-server directed-request
    > tacacs-server key xyz
    >
    > ACHIVEMENT SO FAR
    > =================
    > Whenver I login to the device, it directly takes me into the privilige
    > level e.g. level 15 for superuser for example instead of asking for
    > enable password.
    >
    > PROBLEM
    > =======
    > How can I use effectively the "ENABLE OPTIONS", it has three options
    > 1)No enable privileges 2) Max privilege level for any AAA client 3)
    > Define MAX Privilege on a per NDG basis
    >
    > But pitty is I am not able to use it effectively, can you help me ???
    >
    > currently what I do is , I goto "TACACS+ SETTINGS" section and then
    > CHECK the Shell(exec) and Privilege leve check box with number lets
    > say 15 or 10 or 4.
    >
    > believe me nothing works unless I check the PRIVILEGE LEVEL CHECK BOX
    > and fill the number, whatever level I set there, it becomes applicable
    > for all the users for all the devices and that is very strange can you
    > help me ?
    >
    > 2ndly I can I do for a particular group that the members of the group
    > can have view privileges for certain devices or NDGs while at the same
    > time have FULL ACCESS to few particular devices, is it possible, how ?
    >
    > I would be really obliged on your help
    >
    > thanks and regards
    > cheema


    ================================================================

    Hi

    Our activity has been completed. Specific users have been assigned
    certain groups which are being assigned to an NDG which is further
    assigned to SHELL COMMAND AUTH sets. Result is that we are able to
    manage many ADMINS with varying levels of privileges.

    Following is the command set used in the AAA client.

    aaa authentication login default group tacacs+ line enable
    aaa authentication login CONSOLE none
    aaa authentication enable default group tacacs+ enable line
    aaa authorization config-commands
    aaa authorization exec default if-authenticated
    aaa authorization commands 14 default group tacacs+ if-authenticated
    none
    aaa authorization commands 15 default group tacacs+ if-authenticated
    none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+

    Kindly point out if you see any issues with this configuration

    Thanks and Best Regards
    Cheema
    ==============================================================================
    Cheema, Jun 26, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. nospam

    Wi-Fi privileges for users

    nospam, Jan 20, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    520
  2. nospam

    program requires admin privileges

    nospam, Jul 10, 2005, in forum: Wireless Networking
    Replies:
    9
    Views:
    797
    nospam
    Jul 21, 2005
  3. Chris_D
    Replies:
    4
    Views:
    3,401
    Chris_D
    Aug 1, 2005
  4. A Teuchter

    WIN XP PRO (administration privileges)

    A Teuchter, Dec 21, 2003, in forum: Computer Support
    Replies:
    11
    Views:
    4,401
    A Teuchter
    Dec 22, 2003
  5. jbmic

    Admin Privileges

    jbmic, Dec 28, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    306
    Harrison
    Dec 28, 2003
Loading...

Share This Page