https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085703#M400656 <HTML><HEAD></HEAD><BODY><P>Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.</P></BODY></HTML> Mon, 17 Nov 2008 21:24:21 GMT Collin Clark 2008-11-17T21:24:21Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085698#M400643 <P>I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.</P><P></P><P>I configure my Cisco 3750 with the following commands for authentication.</P><P></P><P>aaa new-model</P><P>aaa authentication login NetworkAdmins group tacacs+ local</P><P>aaa authorization exec NetworkAdmins group tacacs+ local</P><P>aaa accounting update newinfo</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting update newinfo</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa session-id common</P><P></P><P>The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?</P><P></P><P>Thanks for the help!!</P><P></P> Sun, 10 Mar 2019 23:11:37 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085698#M400643 prekojo 2019-03-10T23:11:37Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085699#M400646 <HTML><HEAD></HEAD><BODY><P>In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 17 Nov 2008 18:44:10 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085699#M400646 Collin Clark 2008-11-17T18:44:10Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085700#M400649 <HTML><HEAD></HEAD><BODY><P>That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password. </P><P></P><P>Thanks again</P></BODY></HTML> Mon, 17 Nov 2008 20:02:17 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085700#M400649 prekojo 2008-11-17T20:02:17Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085701#M400651 <HTML><HEAD></HEAD><BODY><P>In your router/switch...</P><P></P><P>config t</P><P>line vty 0 4</P><P>privilege level 15</P><P></P><P>That should do it! You can't do it with firewalls, they force you to enter the enable password.</P></BODY></HTML> Mon, 17 Nov 2008 21:18:49 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085701#M400651 Collin Clark 2008-11-17T21:18:49Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085702#M400654 <HTML><HEAD></HEAD><BODY><P>Excellent!! Is there anyway to do it per user instead of any vty session?</P><P></P><P>Thanks again!!!!</P></BODY></HTML> Mon, 17 Nov 2008 21:22:39 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085702#M400654 prekojo 2008-11-17T21:22:39Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085703#M400656 <HTML><HEAD></HEAD><BODY><P>Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.</P></BODY></HTML> Mon, 17 Nov 2008 21:24:21 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085703#M400656 Collin Clark 2008-11-17T21:24:21Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085704#M400657 <HTML><HEAD></HEAD><BODY><P>Would you specify the authorizations groups using the following command then?</P><P></P><P>aaa authorization commands 3 NetworkUsers group tacacs+ local</P></BODY></HTML> Mon, 17 Nov 2008 21:36:52 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085704#M400657 prekojo 2008-11-17T21:36:52Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085705#M400658 <HTML><HEAD></HEAD><BODY><P>I do it in ACS. I've attached a little write up I did for reference. I hope it helps.</P><P></P><P> </P><P></P></BODY></HTML> Mon, 17 Nov 2008 21:43:55 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085705#M400658 Collin Clark 2008-11-17T21:43:55Z https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085706#M400659 <HTML><HEAD></HEAD><BODY><P>I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!</P></BODY></HTML> Tue, 18 Nov 2008 14:19:51 GMT https://community.cisco.com/t5/network-access-control/windows-groups-authentication-with-acs/m-p/1085706#M400659 prekojo 2008-11-18T14:19:51Z