[c-nsp] Privilege levels and Secure ACS
Andrew Fort
afort at choqolat.org
Wed Jul 6 17:53:10 EDT 2005
On 06/07/2005, at 1:44 AM, Kim Onnel wrote:
> For those who did this with ACS before, please correct me if i am
> wrong
>
> 1) Create two different NDG(network device groups) : P and PEs (for
> e.g.)
>
> 2) Create two different "Command Configuration sets" :
> a) All commands (all)
> b) limited commands(clear, show, ping,..) (notall)
>
> 3) Create different users groups ( Core, NOC,..)
>
> How can I let users group (NOC) use the conf. set (all) on NDG:
> (PEs) and
> when accessing NDG: (P) use the conf. set (notall)
>
> I hope i explained it well.
>
> Regards
Not that it helps much, but this sounds like you're on the right track.
I've done exactly what you describe for Radiator's
<ServerTACACSPLUS>, where you use <Handler>s to match the particular
attributes you're interested in, based on your matrix, (i.e., the
user's group and the client's (switch/router) role) and then set an
attribute which is in our case the ultimate 'privilege level' you
want to give (we have three diff levels, basically, one for limited
noc, one for provisioning, one for full enable). This attribute is
then used to match which group of authorisation statements will be
used when checking commands.
I've not used the 'full' ACS but I'm guessing it'll be something
along those lines, involving 'soft' attributes if you can do that.
-andrew
More information about the cisco-nsp
mailing list