Solved: ACS 5.2 Tacacs+ Authorization

stormfidus · ‎02-18-2013

Hi All

I have an ACS 5.2 running, where we have setup Tacacs authentiation on network devices - switches, routers etc.

It's working fine with external authentication towards a specific AD group for all devices.

Im trying to segment the access based on the device ip subnet, but has only been successfull doing this within Access Policies/Authorization and with the field "Device IP Address" which only can be equal to a specific ip address or not equal to it - not possible to choose a whole subnet.

The goal is to be able to map 2 different AD groups, where the group "full-access" have access to all the devices, and the group "partial-access" only have access to devices located in a specific subnet, such as only 10.30.0.0/16.

Does anybody know how to achieve this ?

Jatin Katyal · ‎02-18-2013

Have you tried device filter under policy elements > session conditions > network conditions > device filters. Once done, go to access-policy > authorization > clcik on customize tab > move the device filter in the selected section.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎02-18-2013

Have you tried device filter under policy elements > session conditions > network conditions > device filters. Once done, go to access-policy > authorization > clcik on customize tab > move the device filter in the selected section.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

stormfidus · ‎02-18-2013

Hi Jatin

This was exactly what I was looking for, thanks!