Separation of administrative and general users – Cisco 3.3 User Manual

2-17

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Basic Deployment Factors for Cisco Secure ACS

Separation of Administrative and General Users

It is important to keep the general network user from accessing network devices.
Even though the general user may not intend to gain unauthorized access,
inadvertent access could accidentally disrupt network access. AAA and
Cisco Secure ACS provide the means to separate the general user from the
administrative user.

The easiest, and recommended, method to perform such separation is to use
RADIUS for the general remote access user and TACACS+ for the administrative
user. An issue that arises is that an administrator may also require remote network
access, like the general user. If you use Cisco Secure ACS this poses no problem.
The administrator can have both RADIUS and TACACS+ configurations in
Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other
network access protocols) set as the permitted protocol. Under TACACS+, only
the administrator would be configured to allow shell (exec) access.

For example, if the administrator is dialing in to the network as a general user, a
AAA client would use RADIUS as the authenticating and authorizing protocol
and the PPP protocol would be authorized. In turn, if the same administrator
remotely connects to a AAA client to make configuration changes, the AAA client
would use the TACACS+ protocol for authentication and authorization. Because
this administrator is configured on Cisco Secure ACS with permission for shell
under TACACS+, he would be authorized to log in to that device. This does
require that the AAA client have two separate configurations on Cisco Secure
ACS, one for RADIUS and one for TACACS+. An example of a AAA client
configuration under IOS that effectively separates PPP and shell logins follows:

aaa new-model

tacacs-server host

ip-address

tacacs-server key

secret-key

radius-server host

ip-address

radius-server key

secret-key

aaa authentication ppp default group radius

aaa authentication login default group tacacs+ local

aaa authentication login console none

aaa authorization network default group radius

aaa authorization exec default group tacacs+ none

aaa authorization command 15 default group tacacs+ none

username

user

password

password

line con 0

login authentication console