topic Re: Control access to network device with ACS in Network Access Control

Control access to network device with ACS

dwhisinnand — Sun, 10 Mar 2019 21:28:05 GMT

Hi all!

Currently I have in place a Cisco Secure ACS Appliance using Windows as the back end authentication. Cisco Secure is acting as TACACS+ server. I have two groups defined in Cisco Secure: Netadmins and ITD Security. The users in the Netadmins group need access to all switches and routers on the network. ITD Security only needs access to async line 53 on a 2611 router for an out of band connection to a firewall and no other access to any network devices. How can I limit access for the Cisco Secure group “ITD Security” to line 53 only?

My current config on this router is:

aaa new-model

aaa authentication login netadmins group tacacs+ line

aaa authentication login ITDSEC group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX

line 53

no exec

transport input all

stopbits 1

speed 115200

line vty 0 4

exec-timeout 30 0

timeout login response 120

but the users in the “ITD Security” can still gain access by vty and then reverse telnet to any async line on the router. Additionally, users in the “ITD Security” can still access any other switch or router using telnet: what should my configuration on those device be? Do I need to do some configuration in ACS?

All other devices:

aaa new-model

aaa authentication login netadmins group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX

line con 0

password 7 141C015C5806

line vty 0 4

password 7 11020A524310

line vty 5 15

password 7 11020A524310

Any help will be greatly appriciated.

Re: Control access to network device with ACS

darpotter — Mon, 13 Feb 2006 14:47:14 GMT

In the Security group I would create an IP Network Access Restriction with a permit entry. Basically to allow access to the single port on 2611 only.

The AAA Client field is the name you've given to the 2611 in network config. Address will be * unless you want to restrict access to one or ip address. Port... never quite sure with async whether the port value should be "async 53" or "line 53".

If you look in passed/failed attempts for the nas-port attribute you'll see what T+ is sending to ACS. This should help you know what to put in the NAR.

Darran

Re: Control access to network device with ACS

dwhisinnand — Mon, 13 Feb 2006 16:52:09 GMT

Darren

Thank you very much for the help. I looked at the failed attempts log and found the NAS-Port to be tty53. I created an IP-based NAR for the security group in ACS and used port tty53 for the AAA client.

Problem sovled!

-David