Cisco Systems OL-5650-02 manual Configuring Authorization Settings

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server

Configuring TACACS+ Server User Accounts for Use with the CSS

•Key - Enter the shared secret that the CSS and Cisco Secure ACS use to authenticate transactions. For correct operation, you must specify the identical shared secret on both the Cisco Secure ACS and the CSS. The key is case-sensitive.

•Authenticate Using - Select TACACS+ (Cisco IOS).

Configuring Authorization Settings

To determine the privilege level of users accessing the CSS, you must configure the user accounts on the TACACS+ server to permit or deny execution of the privilege command. The CSS queries the TACACS+ server for authorization to execute the privilege command. If the server allows the privilege command, the user is granted privileged (SuperUser and configuration modes) access to the CSS. If the server denies the privilege command, the user is granted nonprivileged (User mode) access to the CSS.

To configure the group authorization settings:

1.From the Group Setup section of the Cisco Secure ACS HTML interface, Group Setup Select page, select the group for which you want to configure TACACS+ settings.

2.On the Shell Command Authorization Set page, click the Per Group Command Authorization checkbox

3.Under Unmatched Cisco IOS Commands, either permit or deny execution of the privilege command:

•For a group that has SuperUser privileges on the CSS, select Permit. A SuperUser can issue any CSS command.

•For a group that has User privileges on the CSS, select Deny. A user can issue CSS commands that does not change the CSS configuration; for example, show commands.

An alternative way to configure the group authorization settings is as follows:

1.Select Shared Profile Components, Shell Command Authorization Sets page.

2.Click the Add button to add a set or to edit an existing set.

3.Enter a name and description.