topic NDGs and User group issues in Network Access Control

NDGs and User group issues

umamon — Sun, 10 Mar 2019 22:46:49 GMT

I have two sets of NDGs

1. Routers_Switches

2. UPS_PDU (Power Supplies)

I have two sets of UserGroups

1. Network Administrators

2. UPS Support Staff

I only want Network Admins to access the Routers_Switch group and the UPS Support Staff to access the UPS_PDU NDG. I have users from Usergroup Network Admin accessing the UPS Device Group. Is there a way to have only the Network Admin group access only the routers_switch ndg and not the UPS_PDU ndg?

Re: NDGs and User group issues

craig.eyre — Sun, 13 Apr 2008 00:53:20 GMT

Which version of ACS software are you running?

It's pretty much the same idea on ACS 3 or 4 but I can explain in more detail with which version you have>

Craig

Re: NDGs and User group issues

craig.eyre — Sun, 13 Apr 2008 01:02:06 GMT

Hi,

Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.

You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.

ACS 3.X)

1. Denied Calling/Point of access restrictions

2. AAA Clients =UPS_PDU (Power Supplies)

3. Port = just put a * for all

4. Src IP address = just put a * as well

SUBMIT to SAVE

Create a second one for the other group like so:

1. Denied Calling/Point of access restrictions

2. AAA Clients =Routers_Switches

3. Port = just put a * for all

4. Src IP address = just put a * as well

Click submit to save it.

Go to the ACS User groups section and select the Network Administrators Group " that don't need access to the UPS's" and apply the NAR you created to that group. Do the same for the other grouping.

(ACS 4.X)

Go directly under the "user groups" and create the NAR under there. No need to go under the Shared Profile Components section

Hope this helps and let me know if you need further assistance or explanation.

Craig

Re: NDGs and User group issues

umamon — Mon, 14 Apr 2008 02:51:25 GMT

Hi Craig,

I'm running ACS 4.1

Re: NDGs and User group issues

craig.eyre — Mon, 14 Apr 2008 14:23:28 GMT

Just select

1.Group Setup

2.Select the Routers_Switches group

3.Ten scroll down to the "per group defined network access restrictions" Enable it with a checkmark.

4. Select deny calling/point

5. AAA client = UPS's

6. Ports = *

7. Address = *

8. Hit enter and the new rule will be added to the window above.

9. Click submit (not submit and restart until you create the other NAR for the other group)

Go back and select the UPS_PDU group and do the same steps but,

1. AAA client = routers_switches

2. Port = *

3. Address = *

4. Enter

Click submit and restart but remember this will stop authenticating users for the time its restarting.

Hope this helps.

Craig

Pls rate helpful posts.

Re: NDGs and User group issues

umamon — Mon, 14 Apr 2008 18:37:48 GMT

Hi Craig,

I will try this as soon as I can figure out why I can't get to the web interface. I turned on logging friday of last week and now my drive is full, I've compressed files and regain space on my harddrive, but now I still can't get in. If you have any knowledge to assist with this I will appreciate it.

Re: NDGs and User group issues

umamon — Mon, 14 Apr 2008 19:35:51 GMT

Thanks Craig for your help, that worked!!!

Re: NDGs and User group issues

umamon — Mon, 14 Apr 2008 21:47:27 GMT

Hi Craig,

I spoke to soon, I've done what you said. The PDU support techs are denied to the routers/switches, but I'm (apart of the Network Admin) and I can still get into the PDU......

Re: NDGs and User group issues

craig.eyre — Tue, 15 Apr 2008 02:31:23 GMT

Hi,

you need to go under the Network admin Group and create a NAR that denies access to the PDU device group.

Same steps as 1st one but:

Group setup, Network Admin group, edit group, create NAR to deny access to PDU group and put * for port and address.

hope this clears it up a bit.

Craig

Re: NDGs and User group issues

umamon — Wed, 16 Apr 2008 05:26:45 GMT

I've tried all your steps, recheck and tested, and for some reason, I am still able to get into the PDU devices. I've tested the deny NAR and it works for the network admin. I even tested the deny NAR for my network devices, and the rule did in fact deny me. So I know that is working. Just for testing purposes, I tested the PDU admin group by denying the PDU devices the rule did not restrict access to the PDU admin users they were stil able to get into the PDU, removed the deny pdu and re added the router/switch NDG, and still the same results. Perhaps it could be something on the PDU device that has to be configured? Could there be another option in relation to the way these rules work?

Re: NDGs and User group issues

craig.eyre — Wed, 16 Apr 2008 14:12:54 GMT

Are any of the users in the PDU admin group members of other groups that are mapped on the acs? Eg. Is Bob a member of PDU admin and Client Support?

You can check in the ACS logs to see what group the user is associating to when they connect to the PDU devices. So if Bob logs in and gains access to your PDU devices (with the NAR)what group is the ACS matching him to.

Craig

Re: NDGs and User group issues

darpotter — Tue, 22 Apr 2008 15:39:35 GMT

For failures... the failed attempts report "Reason" column might give you a clue about which part of the NAR is triggering.

Im assuming we're talking TACACS+... ACS will choose which type of NAR to use (IP or dial) by looking at the rem_addr attribute. If it sees an ip address it will use ip nars. If not it'll use the ones.

you could check the T+ accounting report, or run the CSTacacs -z -e service at the command prompt to see incoming packets logs at the console.

Re: NDGs and User group issues

umamon — Tue, 22 Apr 2008 21:53:31 GMT

hello,

my logon to the UPS devices do not fail, i actually get into these devices, and i don't, I wanna be able to restrict users groups to certain network device groups. can you help me with that