topic Re: How to stop ACS intergated AD users to login in AAA clients( in Network Access Control

How to stop ACS intergated AD users to login in AAA clients(network device)

sunil.aroraa — Sun, 10 Mar 2019 23:38:52 GMT

I have ACS 4.2 Appliance which is integrated with Active directory.

AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

Re: How to stop ACS intergated AD users to login in AAA clients(

Robert.N.Barrett_2 — Thu, 13 Aug 2009 18:39:37 GMT

Check how admin access is controlled (by what groups):

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/nac_conf.html#wp1165622

Re: How to stop ACS intergated AD users to login in AAA clients(

sunil.aroraa — Fri, 14 Aug 2009 02:52:46 GMT

HI Robert,

Thanks for your reply.

But I'm not talking about administration of ACS applinace. The concern is to stop the external database user to login in network devices (AAA clients).

Re: How to stop ACS intergated AD users to login in AAA clients(

Robert.N.Barrett_2 — Fri, 14 Aug 2009 16:53:59 GMT

These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.

What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?

For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):

aaa group server radius rad_admin

server xxx.xxx.xxx.xxx

aaa group server tacacs+ tac_admin

server xxx.xxx.xxx.xxx

If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

Re: How to stop ACS intergated AD users to login in AAA clients(

Robert.N.Barrett_2 — Fri, 14 Aug 2009 17:01:24 GMT

As a follow-up, let's assume you want to use ACS to authenticate admin access to your AAA clients, but you don't want ACS to check against AD.

If you are using TACACS+ for admin auth, and the admin users are in the local database on the ACS server, then I think you just need to go to your AAA client definition on the ACS server and scroll down to the "Tacacs+ login/enable authentication" section and select the appropriate "Authenticate Using" option.

Re: How to stop ACS intergated AD users to login in AAA clients(

sunil.aroraa — Sun, 16 Aug 2009 06:34:08 GMT

Yes, I don't want ACS to check credentials against AD and wants to denied the access to users for AAA clients (routers and switches) which are not local database of ACS. OR I can restrict the only specific user or groups to login in AAA clients.

I haven't found any option for it. As you said, scroll down to "Tacacs+ login/enable authentication" section but I was not able to find this option. Can you please elaborate this or can give the path and screen shot for the same.

I'll appreciate your efforts so solve the issue.

Re: How to stop ACS intergated AD users to login in AAA clients(

sunil.aroraa — Mon, 01 Feb 2010 10:22:39 GMT

Hi,

My problem havn't resolved yet and i'm still looking for solution. I have not found " Authenticate Using" option in ACS.

l'll appriciate if you can excatly let me know where I can find this option.

Thanks in advance.