collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Cisco Secure ACS Queries  (Read 6507 times)

Offline abhisheksha

  • Cisco Newbie
  • *
  • Posts: 7
  • Reputation: 0
  • Certification: CCNP
Cisco Secure ACS Queries
« on: December 14, 2014, 10:38:47 PM »
Hi,

I had a few queries on Cisco ACS:

1. Creating different group for device. Same user may have different access right to different group. We have two group of device – group 1 device and group 2 device. Same user may have read/write access to the group 2 device but only read access to group 1 device.\

2. When the write privilege is grant to particular user, can we restrict write privilege is only effective within certain time window without affect read access?

3. When we grant write privilege to particular user, can we restrict he/she can only access particular device (or few device)?

Can you please tell me as to how would this be possible?

Thank you!
 

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco Secure ACS Queries
« Reply #1 on: December 15, 2014, 12:02:14 AM »
Assuming ACS 5.x, this should be possible. What device or privilege you want to grant to which user can be defined under the authorization policy. Just make sure you put the more specific rules at the top.  For example,

User Group A + Device Group A + Time A = Read/Write
User Group A + Device Group A + Time B = Read Only
User Group A + Device Group B + Time All = Read Only
User Group B + Device Group C + Time All = Read Only
etc.
and Read/Write and Read Only can be controller using Shell Privilege Level or Command Authorization (TACACS required)

Offline abhisheksha

  • Cisco Newbie
  • *
  • Posts: 7
  • Reputation: 0
  • Certification: CCNP
Re: Cisco Secure ACS Queries
« Reply #2 on: December 15, 2014, 12:08:54 AM »
Thank you. I have figured out how to carry out the first two cases successfully.

Can you please provide detailed steps as to how will I give write priveleges on a per device level?

Thanks!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Cisco Secure ACS Queries
« Reply #3 on: December 16, 2014, 10:26:19 PM »
While you can do it per device, most likely you want to do it by a group of device just to keep your authorization rule short. You can use Device Filter to arbitrarily group devices instead of using the Device Type/Location. To give write privileges, you can use combination of Privilege 15 and Command Authorization that allows 'configuration terminal' as opposed to read-only where you would block it.

 

Related Topics

  Subject / Started by Replies Last post
3 Replies
10460 Views
Last post June 25, 2015, 09:43:21 PM
by MC
2 Replies
7086 Views
Last post January 09, 2017, 05:47:13 AM
by gvoden
1 Replies
7645 Views
Last post January 21, 2017, 04:20:48 PM
by MC
1 Replies
11935 Views
Last post May 07, 2017, 09:55:33 PM
by MC
8 Replies
13776 Views
Last post September 14, 2017, 08:34:06 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal