This questions is probably out of topic regarding CISCO, but is there a way to restrict which users have access to which switches globally?
I mean that most configurations i see *all* admins put in the same AD-group and have their usernames/passwords authenticated against AD, with the same privileges.
Is there an easier way to restrict access down even further so that the users in the AD-group can authenticate and login to the switch, but then filter different "views" they have access to globally? I've seen this at some of the bigger ISPs but they use stand-alone software to accomplish this, is it possible to have a global administration of the views and at the same time authenticate through AD/LDAP?
I have done extensive research on the topic but found no good information. Basically i just want RADIUS/AD authentication and access-views to be administrated globally instead of per-device....the authentication is the easy part.
Any ideas are greatly apreciated!
Daniel, you can use ACS with TACACS+ and pass the authentication to AD while still retaining control over the router commands.
However do you know if there are any solutions without ACS for this?
Or is it required to use third-party software (i still refer ACS as third party software since it's not part of the devices) to accomplish this?
What im thinking about is if there is a way to configure different administrative views with access to various commands on one router/switch/network device and globally "push" that config to the rest of the devices?
That way i can use AD for authentication to get access to the devices, and when they login there would be a local database with same credentials that would define which commands they'd have access to.... but my administration would still be a single point.
Do i confuse you? I know ACS and various softwares can accomplish this....but think of it as a "single sign on" solution for the end user.
As far as I know, only TACACS+ is able to separate authentication from authorization, as this is what you're after, and, as a consequence, you have to use Cisco ACS for this. It allows you to implement SSO since it passes the authentication to AD, and then you can map the AD groups to privileges, commands, or views that you define in ACS for the authorization part. I think this is the most cost effective solution, but, if the budget allows, you can implement TrustSec/ISE that is a more granular (and expensive) solution based on 802.1X authentication.
Thanks, well yes that was what i was looking for .
I knew it could be done that way, i was just looking for another option to build a less complex system .
Thanks for your input it was more then i could achieve!