cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
7
Replies

ACS 5.4 & AD authentication

network_guy
Level 1
Level 1

I have the AD authentication working but something funny is going on. Under Identity it is set to AD1 and I have our security group defined under the active directory directory groups but anyone who has a AD account is able to authenticate. Any ideas???

1 Accepted Solution

Accepted Solutions

What does your default policy say (deny or permit)? If it says deny and other users still have access to devices then please go to tacacs authentication, clcik on the magnifying glass and check what authorization rule is that request going through.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

What kind of authentication is this?

Ad account can be used to authenticate ACS admin for gui administration and it can also be used for network/device administration as well. For both types we have to call/bind that security group in a rule. What you have done is just a selection of the group from AD.

Jatin Katyal
- Do rate helpful posts -

~Jatin

It is for network devices. Under default device admin>identity, the only option I see is AD1 for Identity source.

If you want to restrict access to just one group, perform steps from 10 to 14

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml#ade

Jatin Katyal
- Do rate helpful posts -

~Jatin

I have done the authorization rule and it works, the problem is people that are not in the admin group in AD can still log into the switches/routers. Is there not a way to stop them from being able to log in at all?

What does your default policy say (deny or permit)? If it says deny and other users still have access to devices then please go to tacacs authentication, clcik on the magnifying glass and check what authorization rule is that request going through.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Thanks Jatin. I didn't even look at the default policy. Thanks a lot. That was the problem.

Your welcome

Jatin Katyal
- Do rate helpful posts -

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: