Re: Create read only account on TACACS for only a few

From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Tue Sep 04 2007 - 10:27:39 ART

• Next message: Gregory Gombas: "When to use PIR?"
• Previous message: Salau, Yemi: "RE: one question on matching images (MQC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Jay,

Thank you for suggesting this document. I've already tried this one. What I
already have achieved is that the administrators can login the VPN
Concentrator using their TACACS Login with full privileges.

The only problem is that now I need to add some users who would have read
only access to the VPN concentrator. I did that on the ACS but for some
reason users in this read only group cannot log in. The ACS Server lets you
configure authorization but I think it lets u specify the commands that one
would be allowed to run, now in case of VPN Concentratror's it is a GUI that
one uses how could I restrict using the commands.

I couldn't find any document on this.

Any suggestions are highly appreciated.

Regards
Pankaj

On 8/31/07, Jason W. Miller <jaymiller5@gmail.com> wrote:
>
> On the ACS you would setup your control levels for this group, add users
> to it with a read only configuration. On the concentrators you will go to
> Admin|Access Rights|AAA Servers|Authentication in there setup your ACS
> servers with the user/secret.
>
> http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/access.html#wpxref12998
>
>
> Jay
>
>
>
> On 8/31/07, pankaj ahuja <networksecurityconsultant@gmail.com> wrote:
> >
> > Hi Everyone,
> >
> >
> > I'm having some troubles creating an account on TACACS that has only
> > read
> > only privileges to only a couple of VPN concentrators which authenticate
> >
> > against TACACS. The TACACS Server is used to authenticate us for all
> > types
> > of Cisco Devices we have. Now I've created a group that should have only
> > read only privileges for this group of users.
> >
> > I'm not sure how do we restrict this group to read only access, coz the
> > TACACS lets us set up authorization level and specify the CLI commands
> > that
> > the user would be authorized to use. and I don't know how do I go about
> > restricting the GUI access that one uses on the VPN concentrator.
> >
> > Any Ideas would be greatly appreciated.
> >
> > Thanks
> >
> > Pankaj
> >
> >
>
>
> --
> ~Jay~

• Next message: Gregory Gombas: "When to use PIR?"
• Previous message: Salau, Yemi: "RE: one question on matching images (MQC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART