Cisco ACS 5.2 Role Based Authentication Authorization For Different Privilege Levels Configuration

 

 

Table of Contents



 

1.1.       Introduction Tacacs+ AAA in cisco ACS 5.1 and ACS 5.2
1.2.       Login to the device using https://ip-address-of-the-acs
1.3.       Create a few test users
1.4.       Setting up Policy elements and shell profiles
1.5.       Creating privilege 15 level shell access profile
1.6.       Creating command sets for admin user
1.7.       Creating command sets for read only user
1.8.       Creating shell profile for read only user
1.9.       Create a service selection rule to match the tacacs protocol
1.10.     Create authorization policy for full administration access.
1.11.     Create authorization policy for read only administration access.
1.12.     Accessing the Tacacs+ enabled device with the 2 different profiles

 

Introduction Tacacs+ AAA in cisco ACS 5.1 and ACS 5.2


 

The below document will explain how to create  Cisco ACS Tacacs+  authentication authorization profiles with different privilege levels in cisco ACS 5.2

Login to the device using https://ip-address-of-the-acs


 

Create a few test users


 

 

create cisco acs local users.

Setting up Policy elements and shell profiles


 

You need to create 2 profiles for the 2 different types of access .Privilege 15 in the cisco tacacs world means providing full access to the device without any restrictions. Privilege 1 on the other hand will allow you to login and execute limited amount of commands .Below is a short description of the levels of access provided by cisco.

· privilege level 1 = non-privileged (prompt is router>), the default level for logging in
· privilege level 15 = privileged (prompt is router#), the level after going into enable mode
· privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the device

 

different privilege levels authorization profiles

Creating privilege 15 level shell access profile


 

Using the below print screen create that profile

creating commnad sets for admin user

 

Creating command sets for admin user


 

Command sets are sets of commands used by all the tacacs devices.They can be used to restrict the commands that a user is allowed to use if assigned that specific profile.

creating commnad sets for admin user


Creating command sets for read only user


 

Bellow screen shows how to create a read only profile .

creating command sets for read only user


Creating shell profile for read only user


 

 

Creating shell profile for read only user

 

Create a service selection rule to match the tacacs protocol


 

 

Create a service selection rule to match the tacacs protocol

Create authorization policy for full administration access.


 

The Default Device Admin policy used with tacacs protocol selection is selected as part of the evaluation policy process.In simple terms when you are using tacacs protocol to authenticate the service policy selected is called Default Device Admin policy.That policy in itself comprises of 2 sections .Identiy meaning who the user is and what group does he belong local or external and what he is allowed to do according the he authorization profile configured.In the below print screen the results of the above evaluation criteria is resulted in assigning full privilege profile called privilege 15.

 

Create authorization policy for full administration access

 

 

 

Create authorization policy for read only administration access.


 

In the below print screen the results of the above evaluation criteria is resulted in assigning read only privilege profile called priv1

 

Create authorization policy for read only administration access.

Accessing the Tacacs+ enabled device with the 2 different profiles


 

 

different levels of access on tacacs device

 

Similar Documents For Configuring Different Parameters of the ACS 5.2 Appliance can be found bellow.


 

  1. Cisco ACS 5.2-Virtual-Machine-VMware-Workstation-Installation-Guide
  2. Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example
  3. Cisco-ACS-5.2-Intresting-Configurations
  4. Cisco-ACS-5.2-802.1.x-Authentication-And-Multi-Domain-Authentication-Configuration-Example
  5. Cisco TACACS+ switch template configuration example.
  6. Cisco TACACS + firewall template configuration example.

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

 

 

 

Share The Link And Enjoy Thanks !