Privileges for Cisco Devices

I have ACS 3.2 and a bunch of TACACS configured Cisco devices.
I want to give a limited set of access to techs the environment to modify VLAN assignments of ports.
So they would need to be able to access privileged mode, but only execute things like:
sh run
config t
config int y
switchport access vlan x
wr
Will be sure to rate. Thanks!!!!
Can someone help me understand how.

This is more of ACS side question, and hence you should try to post it to CSC's AAA community here:
https://supportforums.cisco.com/community/5936/aaa-identity-and-nac
ACS does has this feature to provide restricted access to users by creating such a restricted profile.
You can create Command Authorization Sets to perform this. Command authorization sets provide a central mechanism to control the authorization of each command issued on any given network device. This greatly enhances the scalability and manageability of setting authorization restrictions.
You can check Command Authorization Set here for ACS 3.2:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4a.html#wp737563
-Thanks
Vinod
**Encourage Contributors for free. Rate them :) **

Similar Messages

  • Log Analyzer for Cisco devices

    Hi all:
    Could you please help me finding a Log Analyzer tool for Cisco devices (preferably, free).
    Thanks!
    W.

    In the free arena, many people recommend the Kiwi Syslog Analyzer. Solarwinds bought the product last year and now market a licensed version; but they stil offer a free version as well. See:
    http://www.solarwinds.com/products/freetools/kiwi_syslog_server/

  • ISE version 1.0 - Unable to get management access for cisco devices

    Hi All,
    I want to manage all cisco devices with read and write privilege with ISE 1.0.
    Is this functionality is available in this version?
    I configured the 2960 switch.  On switch  redius test is successful. When I telnet to the switch, it ask for username and password. But message is authorization fail. But on ISE shows authentication is successful.
    Is it configuration issue or this feature is not available in this version?
    Regards,
    Hanumant

    Hanumant,
    You will have to create an authorization profile to send back the privilege level for the user:
    Here is the attribute (cisco-av-pair) you will have to send back:
    shell:priv-lvl=xx

  • How to find useful MIBs for Cisco Devices?

    Hi,
    I am setting up a new Monitoring System (CA Netvoyant). It has some default Cisco monitoring capabilities ( I believe these are soem standard MIBs).  I am wondering how can I add more useful Cisco MIBs for the devices I have in my network. There are thousands of MIBs and it looks like it is not easy at all to find the useful ones.
    For example the MIBs that can give you Emergency and up to warning level information, cpu, memory, interface errors, module failures (in case of Cat 6500), FWSM, BGP, VPN tunnel status notifications. Is there a list of useful MIBs for each device type, like Cat 6500, ASA5540, Cat 3750-E etc depending on IOS Image?
    Any help in setting up the SNMP monitoring system would be really helpful.
    Thanks

    If there is a MIB for it, most SNMP Capable Management servers can poll them.
    This can be such as FHRP states, Routing Peers, ASA Failover status, Seriel numbers for inventory purposes.
    The potential is almost endless, it just depends what you should monitor to ensure you are in the know when your network hiccups.
    Here is a link to the IOS MIB Viewre    
    http://tools.cisco.com/ITDIT/MIBS/MainServlet
    CCNP, CCIP, CCDP, CCNA: Security/Wireless
    Blog: http://ccie-or-null.net/

  • Recumended grounding for cisco devices.

    Hi,
    please suggest me what should be the best earth grounding in volt  for cisoco devices as per indian electronic stander.

    In the free arena, many people recommend the Kiwi Syslog Analyzer. Solarwinds bought the product last year and now market a licensed version; but they stil offer a free version as well. See:
    http://www.solarwinds.com/products/freetools/kiwi_syslog_server/

  • Build Documents for Cisco Devices

    I am in the process of making build documents for Cisco switches and firewalls. Is there any template for making build documents, what are the details that I need to include in the build documents?

    the term "build document" can mean many things to many people. Please tells us some more specifics about what you're looking to do.
    You might also want to look at some Cisco Validated Design (CVD) documents in the meantime. For instance, look at the Campus LAN Design guide found on this page.

  • Cisco devices configuration for CW-LMS

    Hello,
    I am new to CiscoWorks LMS. I am working with a LMS 3.2 fresh installation. I added all the devices (routers, switches and 3 ASAs) into the DCR. Now I need to know how to configure the devices to send relevant info to the CW LMS machine. I am looking for something similar to this:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap10.html#wp1056411
    This is a deployment model for Cisco MARS, which shows what to configure on each device in the network to send the most relevant info (syslog, netflow) to the Cisco MARS.
    Is there a best practice for CW LMS regarding this? For example, what syslog level should the routers send to the LMS?
    Thank you!

    There is a deployment guide whitepaper for LMS at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html .  As for what to do syslog-wise, you should configure your logging facility to be local7 (this is the default on IOS, but not on ASA OS), and send at least sev 5 or higher messages.  You may want to bump that up to sev 6 (informational), but sev 5 for IOS devices will be sufficient to get things like configuration change messages.  For CatOS, you definitely want sev 6.

  • Syslog server for Monitoring Cisco devices

    I am looking for Syslog server to log all logs from Cisco devices. We have more than 800 cisco devices. Can anyone tell me what syslog server should i use to log these files.
    Thank you.

    Has anyone used the Cisco recommendation of Buliding Scalable Syslog Solutions?
    http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000318
    I used this in another organaztion and we were very successful, we currenlty use Netcool that feeds from a syslog and we get several non-actionable alarms and it's very time consuming for 13,000 devices.  I would only like to alert on 0-5 Cisco Syslog messages.  Below is the response from my Netcool Administrator (What are your thoughts?):
    From my Netcool Administrator:
    Regarding, using the Cisco syslog severity for alert control, I feel that is not the best way to control the work in Netcool.
    1. -- Cisco is not consistent with the use of this value.
        Examples:
            In this case the important message is the lower severity alert: I would consider the BGP-3-NOTIFICATION of a 6 level of Informational
            Aug  4 03:10:01 rtgara02r01m04-lb0.us.bank-dns.com 001458: Aug  4 03:10:01: %BGP-5-ADJCHANGE: neighbor 10.93.69.106 Down BGP Notification sent
            Aug  4 03:10:02 rtgara02r01m04-lb0.us.bank-dns.com 001459: Aug  4 03:10:01: %BGP-3-NOTIFICATION: sent to neighbor 10.93.69.106 4/0 (hold time expired) 0 bytes   
            This one is near the top level of serverity per Cisco but not all that severe in reality, further this syslog has a bug where the threshold is not even exceeded
            %ENVMON-1-CPU_WARNING_OVERTEMP: Critical Warning: CPU temperature 107C exceeds threshold 110C.  Please resolve system cooling immediately to prevent system damage
            This one is reporting a standard condition:
            %ILPOWER-5-POWER_GRANTED: Interface Fa0/24: Power granted
            Here is an example of a 1 where the voice group says that nothing is wrong:
            Aug  4 13:08:42 rtgcaa75u01-01.sw.us.bank-dns.com 047489: Aug  4 11:08:41: %IVR-1-APP_PARALLEL_INVALID_LIST: Call terminated.  Huntgroup \'1\' does not contain enough valid SIP end-points to proceed with a parallel call.

  • Cisco FireSIGHT Management Center,(VMWare) for 2 devices

    Has anyone had luck register the PAK for Cisco FireSIGHT Management Center,(VMWare) for 2 devices (FS-VMW-2-SW-K9)?  The process apparently involves logging into 'Defense Center' (part of the product I'm trying to download and install) to grab a license key.  Chicken and Egg situation to be sure.
    TAC hasn't been any help to date, saying that I need to provide them with a license key.  Anyone?
    Thank you

    So here's the answer.  With the purchase of FS-VMW-2-SW-K9 you also have to buy a SmartNet contract.  Once you successfully have that info, you associate the contract to your profile and are then entitled to download the virtual appliance software.  Once you have deployed the OVF file, you then get access to the 'licence key' or in this case MAC address that allows you to go ahead and fulfill the PAK to get the relevant licenses.  Lots of hoops but I did it.

  • Logging for changing device configuration using cisco prime LMS / PI

    Dear All,
    How to see / set for
    for changing device configuration (routers, switches) using cisco prime LMS / PI ?
    and, how to see network topology diagram using PI / LMS?
    Thanks,
    Jerri

    anyone can help. thanks.

  • Is it recommend to have a vulnerability scan for Cisco ASA device.

    Dear everyone. 
    I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 
    Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

    Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
    If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
    If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

  • Config archive for Cisco 4404 WLC devices

    Nodes are discovered properly, with the correct icon, and inventory updated.... but when we try to download config, we got:
    *** Device Details for XXXXXXX ***
    Protocol ==> Unknown / Not Applicable
    Selected Protocols with order ==> Telnet,TFTP,SSH,RCP,HTTPS
    Execution Result:
    Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Resource Manager Essentials -> Admin -> Config Mgmt -> Archive Mgmt ->Fetch Settings
    We have configured only HTTPS credentials, because others are not permited, isn't it?
    Telnet through port 22 works fine (i have read about https://supportforums.cisco.com/message/3053616#3053616)

    in dcmaservice.log:
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,updateArchive,1941,Sync Archive for 4 devices - Sync Archive
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,updateArchive,1955,Number of devices in fetch Q = 0
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,addToDeviceIdToReqIdMap,2289,Device Id 7 already in Q
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,59,inside compareDeviceWithDevicesinRunningThreads method
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,60,Total running threads:5
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :6
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS101
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-10
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS102
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,addToDeviceIdToReqIdMap,2289,Device Id 6 already in Q
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,59,inside compareDeviceWithDevicesinRunningThreads method
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,60,Total running threads:5
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :6
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS101
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,59,inside compareDeviceWithDevicesinRunningThreads method
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,60,Total running threads:5
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :6
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS101
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-10
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS102
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,updateArchiveIfRequired,2055,Compared the device with running thread devices.Adding to Fetch Q
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,59,inside compareDeviceWithDevicesinRunningThreads method
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,60,Total running threads:5
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :6
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS101
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,65, Running Thread Thread-10
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,67,Device Id :7
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.CfgThreadManager,compareDeviceWithDevicesinRunningThreads,68,Device Name :PEDRWLS102
    [ Wed Sep 01  15:54:34 CEST 2010 ],INFO ,[Thread-4],com.cisco.nm.rmeng.dcma.configmanager.ConfigManager,updateArchiveIfRequired,2055,Compared the device with running thread devices.Adding to Fetch Q

  • Cisco Network Assistant, Enter Password for each device

    Does anyone know a way that when you open a community you have to enter your username and password for each device listed in that community? I know with it currently you enter your username and password one time for each device, but I want it to prompt mne for username and password for each device in the community. I unchecked "Encrypt and Store Device Credentials" and it still only prompts me one time for a username and password.                   

    Hi,
    We tried reproducing it in our local set up and we also analyzed the problem with respect to the expected behavior in CNA.
    Could you please share some more details as mentioned below so as to provide you the exact solution.
    1) Is the same set of user name and password used for all the devices?
    2) Was the password store feature enabled while creating community and was disabled later?
    Regards,
    Pramod

  • AAA authentication for networking devices using ACS 4.1 SE

    Hi!!!
    I want to perform AAA authentication for networking devices using ACS 4.1 SE.
    I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
    I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
    For all users i need to have different privilege levels based upon which access will be granted.
    could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

    Pradeep,
    Are you planning MAC authentication for some users while using EAP for others?
    For MAC authentication, just use the following in your AP.
    aaa authentication login mac_methods group radius
    In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
    In your SSID configuration, under client authentication settings,
    check "open authentication" and also select "MAC Authentication" from the drop-down list.
    If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
    Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
    You will not need to change anything in XP.
    NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
    HTH

  • Fine tuning the logging to cisco device

    Dear Netpro Community,
    I am trying to fine tune the AAA portion on the cisco device
    Here is my current configuration:
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default group radius enable
    If the radius server is offline, the first level is not a problem. However, the issue occurs if I want to go to enable mode. It will not use the enable password defined locally, but instead it will go to and search for radius server for authentication.
    Debug:
    test_switch>en
    Password:
    01:05:15: RADIUS: Authenticating using $enab15$
    01:05:15: RADIUS: ustruct sharecount=1
    01:05:15: RADIUS: Initial Transmit tty0 id 44 x.x.x.x:1812, Access-Request,
    len 72
    01:05:15: Attribute 4 6 AC10E10F
    01:05:15: Attribute 5 6 00000000
    01:05:15: Attribute 61 6 00000000
    01:05:15: Attribute 1 10 24656E61
    01:05:15: Attribute 2 18 69ABFDF8
    01:05:15: Attribute 6 6 00000006
    01:05:20: RADIUS: Retransmit id 44
    01:05:25: RADIUS: Retransmit id 44
    01:05:30: RADIUS: Retransmit id 44
    Password:
    01:05:35: RADIUS: Marking server x.x.x.x:1812,1813 dead
    01:05:35: RADIUS: Tried all servers.
    01:05:35: RADIUS: No valid server found. Trying any viable server
    01:05:35: RADIUS: Tried all servers.
    01:05:35: RADIUS: No response for id 44
    01:05:35: RADIUS: No response from server
    % Password: timeout expired!
    % Error in authentication.
    How do I ensure that i can access the switch in privilege mode if there is no path to the radius server?

    Jagdeep:
    With the default "radius-server retransmit" value, there are (potentially) three retransmissions that may occur if the RADIUS server doesn't respond to the first request. With a 1 sec. "radius-server timeout", this provides a four second window of opportunity for a successful response.
    If he doesn't want to use a "radius-server timeout" as low as 1 sec. (per your concern), he can use the "radius-server retransmit" command to constrain (to a reasonable period) the time required to mark an MIA RADIUS Server as dead.
    e.g.:
    radius-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813 timeout 2 retransmit 1 key xxxxxxxxxx
    Contrary to your statement, your approach and mine are trying to facilitate the same thing, i.e.: accommodating fall back to the enable method prior to login timeout.
    However, your recommendation only results in a successful login after 20+ sec., due to postponement of fall back, resulting from the 20 sec. spent determining that the MIA RADIUS Server is dead.
    I don't ever want to wait 20+ sec. for a login, and don't find it necessary to wait that long to conclude that an AAA server is MIA.

Maybe you are looking for

  • Error while running executable file through java in WinNT

    I would like to run an executable file with Java. - If I try with notepad or paint, i.e. Windows Applications,   I have no problem. - I also can run Non-Windows-Own Applications, except one.   I get an error message, if I want to run this program thr

  • The messy "ÿ" letter ...help please!!

    Hello i have a constant problem with some files that if i open it first in Serato Itch and then i play it in iTunes, a letter "ÿ" replaces my "Comment" tagged ifo, this is making me crazy help please!!

  • Audio out on HDMI from mac book pro?

    Audio out on HDMI from mac book pro?

  • I cannot authorize my iTunes account

    Everytime I get onto itunes it asks me to authorize my itunes account. I enter my password and it says The required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the per

  • Role of Wf_deffered

    Hi All i have found that whenver i create a partner link in BPEL pointing to EBS suite Business Events , it automatically creates a subscription on that event with action type "Send to Agnet " with out Agent name as "WF_BPEL_QAGENT" with phase as 403