Cisco ACS 5.2 Role Based Authentication Authorization For Different Privilege Levels Configuration Example

Cisco ACS 5.2 Role Based Authentication Authorization For Different Privilege Levels Configuration

1.1.       Introduction Tacacs+ AAA in cisco ACS 5.1 and ACS 5.2
1.2.       Login to the device using https://ip-address-of-the-acs
1.3.       Create a few test users
1.4.       Setting up Policy elements and shell profiles
1.5.       Creating privilege 15 level shell access profile
1.6.       Creating command sets for admin user
1.7.       Creating command sets for read only user
1.8.       Creating shell profile for read only user
1.9.       Create a service selection rule to match the tacacs protocol
1.10.     Create authorization policy for full administration access.
1.11.     Create authorization policy for read only administration access.
1.12.     Accessing the Tacacs+ enabled device with the 2 different profiles

Introduction Tacacs+ AAA in cisco ACS 5.1 and ACS 5.2

The below document will explain how to create Cisco ACS Tacacs+ authentication authorization profiles with different privilege levels in cisco ACS 5.2

Login to the device using https://ip-address-of-the-acs

Create a few test users

Setting up Policy elements and shell profiles

You need to create 2 profiles for the 2 different types of access .Privilege 15 in the cisco tacacs world means providing full access to the device without any restrictions. Privilege 1 on the other hand will allow you to login and execute limited amount of commands .Below is a short description of the levels of access provided by cisco.

· privilege level 1 = non−privileged (prompt is router>), the default level for logging in
· privilege level 15 = privileged (prompt is router#), the level after going into enable mode
· privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2−14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the device

Creating privilege 15 level shell access profile

Using the below print screen create that profile

Creating command sets for admin user

Command sets are sets of commands used by all the tacacs devices.They can be used to restrict the commands that a user is allowed to use if assigned that specific profile.

Creating command sets for read only user

Bellow screen shows how to create a read only profile .

Creating shell profile for read only user

Create a service selection rule to match the tacacs protocol

Create authorization policy for full administration access.

The Default Device Admin policy used with tacacs protocol selection is selected as part of the evaluation policy process.In simple terms when you are using tacacs protocol to authenticate the service policy selected is called Default Device Admin policy.That policy in itself comprises of 2 sections .Identiy meaning who the user is and what group does he belong local or external and what he is allowed to do according the he authorization profile configured.In the below print screen the results of the above evaluation criteria is resulted in assigning full privilege profile called privilege 15.

Create authorization policy for read only administration access.

In the below print screen the results of the above evaluation criteria is resulted in assigning read only privilege profile called priv1

Accessing the Tacacs+ enabled device with the 2 different profiles

Similar Documents For Configuring Different Parameters of the ACS 5.2 Appliance can be found bellow.

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

Share The Link And Enjoy Thanks !

Table of Contents