AAA Privileges

AAA Privileges

am 19.06.2007 19:55:15 von Cheema

Hi

I am setting up cisco ACS Server for 100s of network devices.

GROUPS DEFINED
==============
Group 0 : Superuser(member usersname is a and n)
Group 1 : admincentral(member usersname is d)
Group 2 : adminsouth(member username is south)
Group 3 : adminnorth(member username is north
Group 4 : support(member username is support)
Group 5 : viewer(member username is viewer)
Group 6 : planning(member username is planning)
Group 7 : planningconfig(member username is ?)

Network device groups NDGs Defined
==================================
north
centralnoncoreswitch
centralnoncorerouter
centralwireless
centralcore
south
centraledge


AAA CONFIG IN CLIENT
===================
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE none
aaa authentication enable default enable
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
tacacs-server host a.b.c.d
tacacs-server directed-request
tacacs-server key xyz

ACHIVEMENT SO FAR
=================
Whenver I login to the device, it directly takes me into the privilige
level e.g. level 15 for superuser for example instead of asking for
enable password.

PROBLEM
=======
How can I use effectively the "ENABLE OPTIONS", it has three options
1)No enable privileges 2) Max privilege level for any AAA client 3)
Define MAX Privilege on a per NDG basis

But pitty is I am not able to use it effectively, can you help me ???

currently what I do is , I goto "TACACS+ SETTINGS" section and then
CHECK the Shell(exec) and Privilege leve check box with number lets
say 15 or 10 or 4.

believe me nothing works unless I check the PRIVILIGE LEVEL CHECK BOX
and fill the number, whatever level I set there, it becomes applicable
for all the users for all the devices and that is very strange can you
help me ?

2ndly I can I do for a particular group that the members of the group
can have view privileges for certain devices or NDGs while at the same
time have FULL ACCESS to few particular devices, is it possible, how ?

I would be really obliged on your help

thanks and regards
cheema

Re: AAA Privileges

am 26.06.2007 08:27:24 von Cheema

On Jun 19, 10:55 pm, Cheema wrote:
> Hi
>
> I am setting up cisco ACS Server for 100s of network devices.
>
> GROUPS DEFINED
> ==============
> Group 0 : Superuser(member usersname is a and n)
> Group 1 : admincentral(member usersname is d)
> Group 2 : adminsouth(member username is south)
> Group 3 : adminnorth(member username is north
> Group 4 : support(member username is support)
> Group 5 : viewer(member username is viewer)
> Group 6 : planning(member username is planning)
> Group 7 : planningconfig(member username is ?)
>
> Network device groups NDGs Defined
> ==================================
> north
> centralnoncoreswitch
> centralnoncorerouter
> centralwireless
> centralcore
> south
> centraledge
>
> AAA CONFIG IN CLIENT
> ===================
> aaa new-model
> aaa authentication login default group tacacs+ local enable
> aaa authentication login CONSOLE none
> aaa authentication enable default enable
> aaa authorization exec default group tacacs+
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 15 default stop-only group tacacs+
> tacacs-server host a.b.c.d
> tacacs-server directed-request
> tacacs-server key xyz
>
> ACHIVEMENT SO FAR
> =================
> Whenver I login to the device, it directly takes me into the privilige
> level e.g. level 15 for superuser for example instead of asking for
> enable password.
>
> PROBLEM
> =======
> How can I use effectively the "ENABLE OPTIONS", it has three options
> 1)No enable privileges 2) Max privilege level for any AAA client 3)
> Define MAX Privilege on a per NDG basis
>
> But pitty is I am not able to use it effectively, can you help me ???
>
> currently what I do is , I goto "TACACS+ SETTINGS" section and then
> CHECK the Shell(exec) and Privilege leve check box with number lets
> say 15 or 10 or 4.
>
> believe me nothing works unless I check the PRIVILIGE LEVEL CHECK BOX
> and fill the number, whatever level I set there, it becomes applicable
> for all the users for all the devices and that is very strange can you
> help me ?
>
> 2ndly I can I do for a particular group that the members of the group
> can have view privileges for certain devices or NDGs while at the same
> time have FULL ACCESS to few particular devices, is it possible, how ?
>
> I would be really obliged on your help
>
> thanks and regards
> cheema

============================================================ ====

Hi

Our activity has been completed. Specific users have been assigned
certain groups which are being assigned to an NDG which is further
assigned to SHELL COMMAND AUTH sets. Result is that we are able to
manage many ADMINS with varying levels of privileges.

Following is the command set used in the AAA client.

aaa authentication login default group tacacs+ line enable
aaa authentication login CONSOLE none
aaa authentication enable default group tacacs+ enable line
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 14 default group tacacs+ if-authenticated
none
aaa authorization commands 15 default group tacacs+ if-authenticated
none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+

Kindly point out if you see any issues with this configuration

Thanks and Best Regards
Cheema
============================================================ ==================