In this tutorial, we will configure Cisco Secure ACS 5X to return a TACACS attribute defining the role a user should be placed into an IOS device using Role Based Access Control (RBAC).RBAC enables access restriction based on each user’s role and function within the organization.  This feature is very useful when you an ACSAdmin wants to delegate varying responsibilities to different user groups within an organization. Use of  Role-Based CLI Access feature allows the network administrator to define “views“, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands.

We can create following roles to accomplish goals setforth:

1) Network Operator Role (netop)

Allowed to configure network related operational tasks e.g. configuration of static routes/ dynamic routing protocols /configure  any interface related commands / execute all show commands

 parser view netop
secret c1sc0n3t
commands configure include all ip route
commands configure include all router
commands configure include all interface
commands exec include configure terminal
commands exec include all show

2) Secruity Operator Role (secop)

Allowed to configure security & VPN related configuration tasks e.g. configuration of  VPN related configuration / applying AAA, Zone Based Firewall (ZBF), CBAC configuration, all TACACS/RADIUS configuration & configure  any interface related commands / execute all show commands

parser view secop
secret c1sc0s3c
commands configure include all radius-server
commands configure include all tacacs-server
commands configure include all interface
commands configure include all zone-pair
commands configure include all zone
commands configure include all policy-map
commands configure include all class-map
commands configure include ip inspect
commands configure include all crypto
commands configure include all aaa
commands exec include configure terminal
commands exec include all show

3) SuperOperator Role (superop)

This role is actually a superview of first 2 roles listed above . Basically ,this user will be allowed to configure all that is allowed under netop & secop roles

parser view superop superview
secret c1sc0sup3r
view netop
view secop


You would also be required to configure following steps in order to be able to authenticate/authorize users detailed here & hence retrieve ACS 5X attribute :

  • Setting up basic TACACS authentication on IOS router
  • Configuration of Network Device (R1) in ACS Server
  • Configuration of Identity Groups & Internal Users (or AD Users)
  • Setting up Shell Profiles & defining TACACS+ custom attribute for RBAC
  • Configuration of Access Policies & Device Authorization Policy

Most important part is Setting up Shell Profiles.I will show here setting for only Network Operator (netop) role, similar settings are applicable to Security Operator (secop) & Super Operator  (superop) roles covered in detail here

Create a Shell Profile as shown below:

Next, assign ‘cli-view-name’ attribute to a static value i.e netop in this case.



Once the user telnets into device & authenticates via telnet, you will have following output:

You can also verify successful authentication on IOS Router (via debugs) & Cisco Secure ACS 5X

Complete Step by Step Configuration is covered in the Cisco Secure ACS 5X Deployment Guide.

Tags: , , , , , , , , , ,