How to Assign Privilege Levels with CiscoSecure ACS TACACS+

Similar Messages

• HOW TO ASSIGN MCSI REPORT WITH MC93

  Dear Gurus
  in my company, we have created on infostructure for MCSI report. the data is being populated and the report can also be seen.
  But now, i want to put planned quantity/material for this infostructure through MC93, so that i can compare the actual sales with planned sales.
  would you please advice me how to assign the infosturcuture with MC93 to put the planned quantity/target.
  thank you
  shabbir
  Edited by: ashabbir on May 25, 2010 11:08 AM

  Hello Shabbir
  1) First create 'PLANNING hierarchy' using T code MC61. Specify the custom infostructure and do not enter any characteristics in the next scree. In  the next screen enter the pan data level by level for all characteristics.
  2) Now get into MC93 to create planning. Enter your custom infostructure in the opening screen for 'Planning Type'. Enter the characteristics as needed and click enter. Enter the plan data in the next screen and save the version.
  3) Now use MCSI with your custom infostructure and when the standard Analysis: Basic list is displayed, go via menu option Edit/Comparisons/Planned/Actual to see the comparison.
  Hope this helps.

• How to assign function module with process code in IDOC ?

  how to assign function module with process code in IDOC ? and what code i have to write in that function module for custom IDOC ?
  helpful answer will be rewarded?

  Hi,
  First goto transaction we42 -->editing mode --> new entries -->give name of your process code and description --> processing with alv service and function module -->then press enter -->after that enter the name of the function module you want to associate from the drop down and save it.
  Thats the way to assign function module with process code.
  In that process code we will have the Function modules and Bapi's which will take the data which we are sending through IDOC and then process it.
  for example: i am triggering the IDOC for every purchase order created then this process code in the receiver system will take the data which i have enetered in the sender system to create the purchase order and process it and creates the same purchase order in the receiver's system.
  Reward if helpful.
  with regards,
  Syed

• How to assign cost centre with position

  Hi Guys
  How to assign cost centre with a position?
  thanks

  Hi,
  Go to PPOM_OLD t code & select ur organisational unit.
  Then click on staff assignments & the GOTO in menu bar,click on Accounts assignment.
  Put cursor on the position & lick on master cost center icon & assign the cost center.
  Cheers
  Ramesh

• Privilege level with ACS

  I am trying to configure a group of users to get read only access onto our equipement ( switches and routers) and specifically show run or show start. i set the command set to permit those 2 commands and i created a rule for that group but it does work as desired.
  any ideas?  Thank you.

  There are a couple of ways that you can accomplish what you are looking to do.  What you need to remember is that when showing the running-config you can only see what you have authorization to configure so just allowing a RO user to execute the show run command isn't going to show them much.
  One thing you could do is to lower the privilege level required to run the "show configuration" command.  The command is "privilege exec level 1 show configuration" and would need to be applied to all your devices.  This would allow privilege level 1 users to view the startup-config but not the running-config.
  Since you are running ACS another solution would be to create a rule to permit these RO users to login and actually authorize at level 15 which by default allows one to configure everything (remember to be able see it in the running-config you must be authorized to configure it).  Then create a limited command set that only allows the commands they need to use.
  Hope this helps,
  Greg

• Assigning privilege level using Radius

  I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
  I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
  How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
  I've configured the router as below:
  aaa authentication login vtymethod group radius enable
  aaa authorization exec vtymethod group radius local
  radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
  line vty 0 4
  authorization exec vtymethod
  login authentication vtymethod
  On the Radius, I've configured as below:
  In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
  Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
  Is there something I'm missing.
  Appreciate the help.
  Thanks.
  sweeann

  Hi
  Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
  Given that ACS supports both and that T+ is a superior protocol for device admin.
  I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

• Assigning Privilege Level Thru RADIUS

  I'm using Microsoft IAS as my RADIUS server. We have a number of Cisco 2800 routers running the latest IOS which are also acting as VPN servers for our remote user connecting using their laptops via IPSec and Cisco VPN Client. How can I set the privilege level for the authenticated users so that the remote VPN users are given privilege level 0 and the Administrators are given privilege level 15, so they can login to routers and manage them.

  Prem
  Thanks for attaching a very interesting document. worth the 5 rating.
  HTH
  Rick

• How to assign contact person with user id to vendor via upload

  Dear All,
  We have successfully uploaded external business partner (Vendor) from ECC6 to SRM5.0  via BBPGETVD. So vendor is available in PPOMV_BBP.
  Now we would like to assign the contact person with user ID to this vendor so that he can logon to our system and update Bid.
  If we create contact person (employee) via "Manage Business Partner", system provides the option to create contact person and User ID under "Employee for Business Partner".
  But we can create contact person one by one, if our client have 600 vendors from ECC and already transferred to SRM.
  How to rapidly create and assign contact person to all vendors ?
  Who have any ideas for upload via text file or excel sheet please advice me.
  Best Regards,
  Theerat.

  Hello Theerat,
  Try these FM
  BBP_CREATE_CONTACT_PERSON
  BBP_CREATE_CONTACT_USER
  muthu
  Edited by: Muthuraman Govindasamy on Oct 7, 2008 9:16 AM

• How to assign Release strategy with new PO type

  Hi experts,
  I have created new PO type but the same is not mapped with release strategy at the time of raising purchase order.
  I have done the following steps :
  a ). Creation of new doc type via SPRO > MM > PURCHASING > PO > DEFINE PO TYPE
  b).  Edit characterstics in release strategy via path SPRO > MM > PURCHASING > PO > RELEASE PROECURE FOR PO > EDIT CHARACTERSTICS > VALUES  (  MENTION NEW PO TYPE & DESC. HERE )
  Still I am unable to find release strategy tab in purchase order. Please help.
  Suggestions / Rewards will be highly appreciated.
  Regards,
  ( Rajneesh Gulati )

  Hi ,
  I dont know how much customisation u have complited ,
  But for release strategy
  1 Following are the imp charecrticities ct04 you have to define
  Order type (Purchasing)
  Plant
  Total net order value ( with  table &  field)
  2.check or create relese group is assighned to appropriate class cl01 (with above charecricities )
  3.define relese code ( in this u define release level --supervisor , manager etc)
  4.release indicator  (block ,release)
  5.define the group with strategy in that specify prerequisites,release status,classification (specify to the document & plant you want to maintain)
  6.create po me22.  In me29 you can release it( unless u cant process)
  Dev

• How to Set Input Levels with FirePod and GarageBand

  Hello ....
  I/ve got Garageband and my Firepod 8 channel interface working ... but I need some tips .. especially on the relationship of input levels between my Firepod and Garageband ....
  When I am setting input levels for a recording ... where should the input level be on the track in Garageband? .... Is that volume setting only for playback and mixing? .... or is it for the input as well ...
  Thank you ....

  Where should the initial input levels be set? ... Would you use the loudest
  part of the song to do this? ...
  Yes, as loud as possible without lighting the FP's clip leds.
  When I mix the final product ... and change the volumes on the different
  tracks.. aren't you then changing the input levels?
  No, you're changing the output levels.
  can't you red line and overload the track?
  Yes, that's why each track has a fader, so that you don't clip.
  Is there a master ouput level indicator
  Yes, right over the Master Volume slider.
  I guess you can't just put each track as loud as you want ... correct?
  As loud as you want without clipping.
  I would strongly suggest doing some web searches on "Mixing and Mastering" to learn more about how to mix, there's a TON of info floating around the web.

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• How to "revoke" privilege with dbms_xdb.changeprivileges

  Dear All!
  How to "revoke" privilege granted with the following code
  DECLARE
  r pls_integer;
  priv xmltype;
  priv_data varchar2(2000);
  BEGIN
  priv_data :=
  '<ace
  xmlns="http://xmlns.oracle.com/xdb/acl.xsd"
  xmlns:dav="DAV:"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd
  http://xmlns.oracle.com/xdb/acl.xsd
  DAV:http://xmlns.oracle.com/xdb/dav.xsd">
  <principal>DVLP</principal> <grant>true</grant>
  <privilege><all/></privilege>
  </ace>';
  priv := xmltype.createxml(priv_data);
  r := dbms_xdb.changeprivileges('/xdbconfig.xml', priv);
  END;
  This code is generated by Enterprise Manager
  I guessed that it is necessary to replace grant with deny
  But there is not schema defenition for deny is parent 'ace'
  Thank you in advance for help
  Regards
  Artem

  Dear Mark!
  Thank you for you reply
  I'll try and let you know about results
  Note that This code was generated by Enterprise Manager
  and it seems that it generates the same code when you try
  to grant and revoke privilege!
  Regards
  Artem

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• Privilege level 15 to ASA cli administrator via Radius

  Hello Friends!
  Is this supported yet on the ASA?  I want to be able to have radius assign privilege levels to firewall cli administrators.
  Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password).  I believe we can set the maximum privilege level the user can attain.  But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password.  Switching to tacacs isn't an option.
  I remember finding out a while back that this was not possible.  Please tell me this is now possible.  It's almost 2013.

  Thanks Marcin!
  Very interesting.  Now that you mention it, I do remember seeing someone use the login command after they had already logged in.  That's what they must have been doing.  I wonder what the thought process was in developing it this way.
  I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:
  1.  Configure a MOTD banner that says "ATTENTION:  Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."
  or
  2.  Configure a MOTD banner that says "ATTENTION:  To gain enable mode privileges, type the command 'enable', followed by the password cisco.".
  Horrible idea?  Thoughts?
  // example of the second 'login' command working:
  ssh [email protected]
  [email protected]'s password:
  Warning!
  Warning!
  Type help or '?' for a list of available commands.
  fw1> ?
    clear       Reset functions
    enable      Turn on privileged commands
    exit        Exit from the EXEC
    help        Interactive help for commands
    login       Log in as a particular user
    logout      Exit from the EXEC
    no          Negate a command or set its defaults
    ping        Send echo messages
    quit        Exit from the EXEC
    show        Show running system information
    traceroute  Trace route to destination
  fw1> login
  Username: admin
  Password: *********
  fw1#
  fw1# sh run username
  username admin password encrypted privilege 15

• How to assign Function key in Module Pool Program

  Dear all,
           I have created the program in MPP.  I have to assign function key for this program.  How to assign it?
  With Regards,
  Baskaran

  HI
  Double Click on your Screen and then Elements Tab, give OK_CODE of OK_CODE.
  Now in Click on Flow Logic Tab , uncomment MODULE STATUS_YOUR_SCREEN_NUMBER. Create this.
  Here you find SET PF_STATUS Just Double click on this this will enable you to Assign Function Keys.
  If you want to Assign Function Key to the Push Buttons that you created Double Click on the Push Button then on the Attributes Screen you can enter the Funciton Code for this Push Button,
  Hope this is Very Clear to you.
  Cheers
  Ram