Re: OT:manage routers with TACACS+ server

From: chris.w.polson@xxxxxxxxxxxxx
Date: Sun Jun 09 2002 - 06:17:08 GMT-3

• Next message: Saher A Ishak: "need urgent seat in brussels early August or late July"
• Previous message: Malcolm Price: "unsetting cat5000 commands"
• Maybe in reply to: Tan Jeff: "OT:manage routers with TACACS+ server"
• Next in thread: p729@xxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Simple answer, most definitely can be done and you only need on server
provided all devices can reach the server. The method for doing it can be
quite varied based on your particular needs, the devices in use, etc. If
you've already installed the application it should have some online help,
although I've found it lacking a bit. I found a link to the user manuals
for version 2.3 on CCO. If you're interested you can go read that as well:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23
/csnt23ug/index.htm

I can give you a quick explanation of what I've implemented (and forgive me
if I misdirect you, I'm using v 2.6). Given the requirements you've
outlined below, I'd create two device groups - HQ and Branch. I'd also
create two user groups - HQUser and BranchUser. When setting up the user
groups, within the "Enable Options" area select "Define max Privilege...."
then use the drop down menus to select the appropriate device group and
privilege level and add the association. Once done with device groups, you
can setup the individual users and associate them to the appropriate group
- Jeff to HQUser and Chris to BranchUser. When setting up the users make
sure you set everything to use the group level settings.

That's one way of doing it. :-D

Regards,
Chris

Christopher W. Polson
CIO Network Services - GNOC
Dallas Infomart
VPN 573/4021; direct: 214-672-4021
chris.w.polson@accenture.com

              "Tan Jeff"

              <tanmx@msn.com> To: chris.w.polson@accentur
e.com
                                               cc: ccielab@groupstudy.com

              06/09/2002 03:23 AM Subject: Re: OT:manage routers w
ith TACACS+ server

thank you,Chris.I think you don't understand what I want to solve.I know
what you said actually.My question is if my company has two administrators
Jeff and Chris,Jeff administrate HQ routers,Chris administrate BRANCH
routers.All routers use the same TACACS+ server for AAA.I want Jeff has
privilege 15 with HQ routers but only has privilege 10 with BRANCH
routers,and Chris has privilege 10 with HQ routers but has privilege 15
with BRANCH routers.Can I do this using only one TACACS+ server?

thanks.
Jeff

>From: chris.w.polson@accenture.com
>To: "Tan Jeff" <tanmx@msn.com>
>CC: ccielab@groupstudy.com, nobody@groupstudy.com
>Subject: Re: OT:manage routers with TACACS+ server
>Date: Sat, 8 Jun 2002 23:10:05 -0500
>
>
>Hi Jeff,
>
>We are using TACACS+ as well and do have differing levels of access. The
>differing levels of access in our environment are provided by the
>"privilege exec level command" at the device. For example:
>
>privilege exec level 10 traceroute <- allows use of extended
>traceroute
>privilege exec level 10 ping <- allows use of extended ping
>privilege exec level 10 show startup-config <- allows viewing of
>startup-config, but not running
>
>Once configured on the router (or any NAS), you can give the group the
>privilege level you wish them to have. I did find a link regarding the
>"privilege" commands that may help you as well:
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_r
/srprt5/srpass.htm

>
>Hopefully that helps you out a bit.
>
>Regards,
>Chris
>
>Christopher W. Polson
>CIO Network Services - GNOC
>Dallas Infomart
>VPN 573/4021; direct: 214-672-4021
>chris.w.polson@accenture.com
>
>
>
> "Tan Jeff"
> <tanmx@msn.com> To:
ccielab@groupstudy.com
> Sent by: cc:
> nobody@groupstudy.com Subject: OT:manage routers

with TACACS+ server
>
>
> 06/08/2002 10:40 PM
> Please respond to "Tan
> Jeff"
>
>
>
>
>
>Hi,all
> My company has over 100 routers,and I found it is very diffcult to
>manage the routers' password with vty password and enable password. I
don't
>
>know how experts do it.I am tring to do it with cisco TACACS+ server(ver
>2.3),but I met a problem.
> I have definded two groups of routers, one is HQ routers and the other
>is BRANCH routers. And our company has two groups of administrators
too,one
>
>is HQ administrator ,the other is BRANCH administrator. My aim is to
permit
>
>HQ administrtor can access the two groups routers with privilege 15,and
>BRANCH administrator can access BRANCH routers with privilege 15,HQ
routers
>
>with privilege 10.It seem there are no such item in TACACS+ server. can
>TACACS+ server do what I want?
> I have searched the CCO,but found nothing about it.any help will be
>appreciated.
>
> Jeff
>
>
>

• Next message: Saher A Ishak: "need urgent seat in brussels early August or late July"
• Previous message: Malcolm Price: "unsetting cat5000 commands"
• Maybe in reply to: Tan Jeff: "OT:manage routers with TACACS+ server"
• Next in thread: p729@xxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:29 GMT-3