Cisco Secure ACS 를 사용하여 인증 하는 사용자나 그룹에 대해 특정 명령어에 권한을 주거나 뺄 수 있는 설정을 할 수 있네요.


acs_shell_auth.pdf

ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration






세팅 방법은
1.ReadWrite Access - For Administrators etc full access
2.ReadOnly Access - Users are allowed to run only show commands
ex)show 명령어에 대해서만 권한을 줄수 있어요..
3.Restrict_access
특정 명령어에 대한 세부적인 설정을 할 수 있어요.


IOS를 사용하는 장비에는 아래와 같은 설정이 꼭 들어 있어야 해요.
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local


PDF 문서를 보면 영문 문서지만 그림을 보며 쉽게 세팅 할 수 있어요.

Q. When I set up authentication, I receive the Chpass is currently disabled. error when I try to authenticate. How do I fix this problem?

A. The user account password must be set to change on login. In order to change the password, select System Configuration > Local Password Management > Disable TELNET Change Password against this ACS and return the following message to the users Telnet session "Chpass is currently disabled." and uncheck the box. This allows you to change the password.


cisco acs를 ver 3.0 에서 ver 3.3대로 upgrade시 문제가 발생 하였었습니다. 웹인증을 통하여 auth-proxy를 추가하여 해당 network를 사용 가능하게 setting 하여 사용 중이었는데 password resume가 되지 않는 문제 였습니다.

해결위의 글과 같이 Disable TELNET Change Password against this ACS and return the following message to the users Telnet session 하면 됩니다.

ver 3.2 부터 Local Password Management 항목에 추가된 부분 같은데 웹인증으로만 test 하다 보니 어떤 오류 메세지가 나오는지 확인 하지 못해 쉽게 해결 하지 못했던 것 같습니다.

원본 page link

Cisco Secure ACS for Windows Compatibility 관련 문서 입니다.

http://www.cisco.com/warp/public/480/csnt.html
Exporting User List to a Text File

You can use the -u option to export a list of all users in the CiscoSecure user database to a text file named users.txt.
The users.txt file organizes users by group. Within each group, users are listed in the order that their user accounts were created in the CiscoSecure user database.
For example, if accounts were created for Pat, Daa, and Lloyd, in that order, users.txt lists them in that order as well, rather than alphabetically.

step 1 On the computer running Cisco Secure ACS, open an MS DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files, page D-2.
step 2 If the CSAuth service is running, type:
net stop csauth
and press Enter.
Result: The CSAuth service stops.
step 3 Type:
CSUtil.exe -u
and press Enter.
Result:CSUtil.exe exports information for all users in the CiscoSecure user database to a file named users.txt.
step 4 To resume user authentication, type:
net start csauth
and press Enter.


책보고 친 내용이라 오타가 있을 지도 모릅니다.

추가 :

User Guide for Cisco Secure ACS for Windows Server (Version 3.2) PDF File Link

http://www.cisco.com/application/pdf/en/us/guest/products/ps2086/c2001/ccmigration_09186a0080205a55.pdf

+ Recent posts