topic Denying AAA Clients to a specific user group in ACS v4.1 in Network Access Control

Denying AAA Clients to a specific user group in ACS v4.1

DAVE GENTON — Sun, 10 Mar 2019 23:45:13 GMT

Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??

thanks in advance,

dave

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jagdeep Gambhir — Fri, 23 Oct 2009 15:44:14 GMT

You can set it up using NAR in ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

~JG

Do rate helpful posts

Re: Denying AAA Clients to a specific user group in ACS v4.1

DAVE GENTON — Fri, 23 Oct 2009 15:49:11 GMT

I looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jatin Katyal — Fri, 23 Oct 2009 15:50:35 GMT

Hi,

Why don't you use NAR (Network access restriction)

Under the network config > simply create one NDG and assign all the voice router under it.

After that go to the group/user where you want to put this restriction

You need to check that what are we getting in calling station id. If we are getting ip address then

[1] To accomplish above we would configure the group with following

NAR (network access restriction)

Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *

Subit the changes and try.

Here is more on configuring Network Access Restriction:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900

HTH

Plz rate helpful posts-

Re: Denying AAA Clients to a specific user group in ACS v4.1

DAVE GENTON — Fri, 23 Oct 2009 15:53:37 GMT

Thanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users...

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jatin Katyal — Fri, 23 Oct 2009 16:02:19 GMT

Hi,

Just checked your reply.

Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.

Check this::

Create two NDG's one for voice routers and other for data router's.

Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.

since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map VOICE router's NDG with respective command authorization set.

So this way we can denied access to data routers and restricted access to voice router's.

HTH

Plz rate helpful posts-

Re: Denying AAA Clients to a specific user group in ACS v4.1

kwillacey — Mon, 09 Nov 2009 20:32:59 GMT

What do the stars mean, is it a wild card?

If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router.

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jagdeep Gambhir — Mon, 09 Nov 2009 20:45:18 GMT

Yes it is a wild card.

Yes, if condition is deny for all aaa-client then that group will not have access to all clients.

Access denied.

Regards,

~JG

Do rate helpful posts

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jatin Katyal — Mon, 09 Nov 2009 20:49:13 GMT

Hi Kelvin,

You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.

If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.

HTH

Plz rate helpful posts-

Re: Denying AAA Clients to a specific user group in ACS v4.1

kwillacey — Mon, 09 Nov 2009 20:54:08 GMT

OK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jatin Katyal — Mon, 09 Nov 2009 21:50:31 GMT

Hi kelvin,

They will be able to connect if you are using ASA for VPN using radius protocol.

HTH

Plz rate helpful posts-

Re: Denying AAA Clients to a specific user group in ACS v4.1

kwillacey — Mon, 09 Nov 2009 21:54:41 GMT

I am guessing if it is using TACACS then it is going to be a problem, am i right?

Re: Denying AAA Clients to a specific user group in ACS v4.1

Jatin Katyal — Mon, 09 Nov 2009 21:58:37 GMT

Kelvin,

You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.

HTH

Plz rate helpful posts-

Re: Denying AAA Clients to a specific user group in ACS v4.1

kwillacey — Mon, 09 Nov 2009 22:01:28 GMT

ACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.