The profiles are used only after a ACCEPT from a success authentication. This is how authorization and the level is granted to the end_user.
Here's a screen shot of the Shell Profiles from the profile elements within cisco ACS.
( see the blue and wine colored arrows )
Key Points:
- The user can only be within ONE accprofile. The AccessProfile provide READ NONE or WRITE for the various commands section levels ( e.g firewall, system,etc.....)
- If a wildcard user is enable, this profile can override the define accprofile for the wildcard.
- If the accprofile reference does not exist, the "default accprofile for that user is granted"
A FortiOS sample accprofile configuration:
config sys accprofile
edit "CORP_LEVEL2"
set comments "TIER#2 ENGINEERS"
set mntgrp read
set admingrp read
set updategrp read
set authgrp read-write
set sysgrp read
set netgrp read
set loggrp read
set routegrp read
set fwgrp custom
set vpngrp read
set utmgrp read
set wanoptgrp read
set endpoint-control-grp read
set wifi read
config fwgrp-permission
set policy read-write
set address read-write
set service read-write
set schedule read
set packet-capture read
set others read-write
end
next
edit "CORP_ENG_SR"
set comments "SENIOR SEC-ENG"
set mntgrp read-write
set admingrp read
set updategrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set routegrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set endpoint-control-grp read-write
set wifi read-write
next
end
The cli diag debug app fnbamd -1 command will provide details on authen/authorization.
and the following command will show authentication PASS/FAIL and any accprofile that's applied
diag test authserver tacacs+ < TAC_USER_NAME_HERE> <username> <password>
e.g testing socadmin1
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment