topic Re: Access Restriction on ACS in Network Access Control

Access Restriction on ACS

Amin Shaikh — Sun, 10 Mar 2019 22:54:19 GMT

Routers access are authenticated via ACS using Active Directory,

But I want only administrator to get access to routers not all Active Directory users.

To acheive this what action is required on ACS??

FYI :::

<> I have Administrator group on Active Directory.

<> I have 40 Network-Devices to access some on different subnets

Re: Access Restriction on ACS

darpotter — Fri, 13 Jun 2008 09:49:38 GMT

Not too hard...

1) Make sure ACS is correctly mapping from Windows group to ACS group (under external authentication page). Basically get admins to map to an ACS admins group and everyone else to a non-admin ACS group.

2) In the ACS group selected to the be non admins group create an ip based NAR (network access restriction) that is a DENY on "All AAA Clients", port=*, addr=*

This very simple approach lets the admins have total access (you may want to tighten later) and non-admins nothing.

NAR filtering is applied during authentication, so the Failed Attempts report should show the user was filtered rather than rejected.

Darran

Re: Access Restriction on ACS

Jagdeep Gambhir — Fri, 13 Jun 2008 12:09:05 GMT

There are two section in NAR"s.

Ist is IP based NAR

2nd is CLI/DNIS based.

So for wireless users you need to apply only IP based NAR. By this wireless uses will NOT be able to ssh/telnet but they can connect to wireless network.

So that solve your issue ?

Check out this white paper,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

~JG

Do rate helpful posts

Re: Access Restriction on ACS

Amin Shaikh — Fri, 13 Jun 2008 13:01:36 GMT

Thanks for the reply...

I am not getting the syntax to

(( DENY on "All AAA Clients", port=*, addr=* ))

I need to deny access to router(aaa client 192.168.1.100 ) to group "Users" for telnet and ssh only..... and same for AP(Aironet) [[ aaa client 192.168.1.150 ))

Re: Access Restriction on ACS

Jagdeep Gambhir — Fri, 13 Jun 2008 13:44:08 GMT

Go to acs---->interface configuration---->advanced options---> enable Group-Level Network Access Restrictions-->Submit,

Regards,

~JG

Re: Access Restriction on ACS

Amin Shaikh — Fri, 13 Jun 2008 13:49:05 GMT

Thanks...

I had already enabled Group-level-network access.... but blocking the AAA client for non-admin(users group) is not working....

Re: Access Restriction on ACS

Jagdeep Gambhir — Fri, 13 Jun 2008 13:50:34 GMT

Pls attach the NAR screen shot

Re: Access Restriction on ACS

Amin Shaikh — Fri, 13 Jun 2008 14:29:57 GMT

Thanks for your reply.

I have attached the screen-shot..where VPN user-group can ssh/telnet to network devices even the NAR is applied to the group...

Re: Access Restriction on ACS

Jagdeep Gambhir — Fri, 13 Jun 2008 15:09:50 GMT

Use "*" for port and IP address

Re: Access Restriction on ACS

Amin Shaikh — Fri, 13 Jun 2008 15:24:20 GMT

Thanks...

Instead of going to each group and defining NAR, Is there a way to allow for one group and deny for all other groups....

Re: Access Restriction on ACS

Jagdeep Gambhir — Fri, 13 Jun 2008 16:14:26 GMT

Unfortunately , there is no such option. It can only be defined on individual group or at user level.

Regards,

~JG

Do rate helpful posts