06-13-2008 12:10 AM - edited 03-10-2019 03:54 PM
Routers access are authenticated via ACS using Active Directory,
But I want only administrator to get access to routers not all Active Directory users.
To acheive this what action is required on ACS??
FYI :::
<> I have Administrator group on Active Directory.
<> I have 40 Network-Devices to access some on different subnets
Solved! Go to Solution.
06-13-2008 09:14 AM
Unfortunately , there is no such option. It can only be defined on individual group or at user level.
Regards,
~JG
Do rate helpful posts
06-13-2008 02:49 AM
Not too hard...
1) Make sure ACS is correctly mapping from Windows group to ACS group (under external authentication page). Basically get admins to map to an ACS admins group and everyone else to a non-admin ACS group.
2) In the ACS group selected to the be non admins group create an ip based NAR (network access restriction) that is a DENY on "All AAA Clients", port=*, addr=*
This very simple approach lets the admins have total access (you may want to tighten later) and non-admins nothing.
NAR filtering is applied during authentication, so the Failed Attempts report should show the user was filtered rather than rejected.
Darran
06-13-2008 05:09 AM
There are two section in NAR"s.
Ist is IP based NAR
2nd is CLI/DNIS based.
So for wireless users you need to apply only IP based NAR. By this wireless uses will NOT be able to ssh/telnet but they can connect to wireless network.
So that solve your issue ?
Check out this white paper,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Regards,
~JG
Do rate helpful posts
06-13-2008 06:01 AM
Thanks for the reply...
I am not getting the syntax to
(( DENY on "All AAA Clients", port=*, addr=* ))
I need to deny access to router(aaa client 192.168.1.100 ) to group "Users" for telnet and ssh only..... and same for AP(Aironet) [[ aaa client 192.168.1.150 ))
06-13-2008 06:44 AM
Go to acs---->interface configuration---->advanced options---> enable Group-Level Network Access Restrictions-->Submit,
Regards,
~JG
06-13-2008 06:49 AM
Thanks...
I had already enabled Group-level-network access.... but blocking the AAA client for non-admin(users group) is not working....
06-13-2008 06:50 AM
Pls attach the NAR screen shot
06-13-2008 07:29 AM
06-13-2008 08:09 AM
Use "*" for port and IP address
06-13-2008 08:24 AM
Thanks...
Instead of going to each group and defining NAR, Is there a way to allow for one group and deny for all other groups....
06-13-2008 09:14 AM
Unfortunately , there is no such option. It can only be defined on individual group or at user level.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide