From: rahul.k@netsol.co.in
Date: Wed Jan 21 2004 - 14:53:29 GMT-3
> Dear All,
> I have a query with Ciscosecure ACS v3.1 for authorization of user's
> telnetting to devices based on individual user privlege and NDG privilege
> as per the below scenario:
>
> Network device Group Name : L3
> clients in this group -all L3 switches with ip address 192.168.120.1-10
>
> Network device Group Name : L2
> clients in this group -all L2 switches with ip address 192.168.120.11-20
>
> User setup as per the attached file- acs user.bmp
>
> Now my requirement is that, when the user telnets to the switch ie from
> L3 NDG or L2 NDG he should get the privlege
> as per defined in the Adv Tacacs Settings ie
>
> when he telnets to 192.168.120.1
> privlege should be level 15
>
> and
>
> when he telnets to 192.168.120.11
> privlege should be level 7
>
>
> but this does not work as the privilege defined in Tacacs+ settings
> overides the device group and the user on L2 gets priv 15
> ie the privlege's are defined from the Tacacs+ settings irrespective what
> is defined on the device group.
>
> also the conf on the switch side is
>
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ local
> aaa authorization network default group tacacs+ local
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> tacacs-server host 192.168.120.100
> tacacs-server key acskey
>
> Pls advice whether this is possible in ACS or not.
>
> regards
>
> rahul kadam
>
> <<acs user.zip>>
[GroupStudy removed an attachment of type application/octet-stream which had a name of acs user.zip]
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3