02-18-2013 06:01 AM - edited 03-10-2019 08:06 PM
Hi All
I have an ACS 5.2 running, where we have setup Tacacs authentiation on network devices - switches, routers etc.
It's working fine with external authentication towards a specific AD group for all devices.
Im trying to segment the access based on the device ip subnet, but has only been successfull doing this within Access Policies/Authorization and with the field "Device IP Address" which only can be equal to a specific ip address or not equal to it - not possible to choose a whole subnet.
The goal is to be able to map 2 different AD groups, where the group "full-access" have access to all the devices, and the group "partial-access" only have access to devices located in a specific subnet, such as only 10.30.0.0/16.
Does anybody know how to achieve this ?
Solved! Go to Solution.
02-18-2013 06:26 AM
Have you tried device filter under policy elements > session conditions > network conditions > device filters. Once done, go to access-policy > authorization > clcik on customize tab > move the device filter in the selected section.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-18-2013 06:26 AM
Have you tried device filter under policy elements > session conditions > network conditions > device filters. Once done, go to access-policy > authorization > clcik on customize tab > move the device filter in the selected section.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-18-2013 12:22 PM
Hi Jatin
This was exactly what I was looking for, thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide