03-06-2014 11:26 AM - edited 03-10-2019 09:30 PM
How exactly does the ACS deteremine which users are authenticated for access to a device?
When our devices talk to the ACS - it checks the LDAP for pass/fail. However, how do we prevent users who are in LDAP, but shouldn't have access to the device they're trying to get in?
I don't know much about ldap, etc.
In the Ext. Database it mentions:
User Dir. Subtree
Gr Dir. - Subtree
User Obj. Type
User Obj. Class
Group Object Type
Gr. Object Class
Group attribute Name
I want to make sure only a subset ldap users get access to our devices.
03-08-2014 08:17 AM
Moddy,
If I understood your questions correctly - You want that a specific set or group of users on the ldap server should have access to your network devices ( like router/switches/ASA etc) through administrative session like telnet/ssh.
Assuming your ACS is already integrating with LDAP and can fetch all the LDAP groups. In case you're facing integrating ACS with LDAP. A very quick way to sort this out could be to first test by browsing the LDAP database with a free LDAP browser such as Softerra: http://softerra-downloads.com
Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to ACS.
If that's what you need then I guess you can do it in two different ways:
1.] You can create users on the ACS > user setup > Under password authentication select LDAP as an external database. The same user should exist on the ACS local DB and on the LDAP server. However the password will be checked against LDAP only, the ACS password will not be checked if defined. Move all these users into a single group and configure Network access restriction on that group. How to configure NAR on ACS 4.x
2.] You can configure group mapping on ACS 4.x and map your ACS internal group with LDAP external groups. Fo all other combination select no-access group. On LDAP create a group and make users of that specific group only. On the ACS configure NAR on the mapped internal group. This way users who are part of that valid group on LDAP can only access the devices defined under NAR. Group Mapping with generic LDAP
Let me know if you have any questions.
Regards,
Jatin
** Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide