Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
0
Helpful
7
Replies

ACS 5.4 & AD authentication

Go to solution
network_guy
Level 1
Level 1

‎06-19-2013 07:47 AM - edited ‎03-10-2019 08:33 PM

I have the AD authentication working but something funny is going on. Under Identity it is set to AD1 and I have our security group defined under the active directory directory groups but anyone who has a AD account is able to authenticate. Any ideas???

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to network_guy

‎06-19-2013 08:27 AM

What does your default policy say (deny or permit)? If it says deny and other users still have access to devices then please go to tacacs authentication, clcik on the magnifying glass and check what authorization rule is that request going through.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-19-2013 07:58 AM

What kind of authentication is this?

Ad account can be used to authenticate ACS admin for gui administration and it can also be used for network/device administration as well. For both types we have to call/bind that security group in a rule. What you have done is just a selection of the group from AD.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
network_guy
Level 1
Level 1
In response to Jatin Katyal

‎06-19-2013 08:03 AM

It is for network devices. Under default device admin>identity, the only option I see is AD1 for Identity source.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to network_guy

‎06-19-2013 08:16 AM

If you want to restrict access to just one group, perform steps from 10 to 14

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc8514.shtml#ade

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
network_guy
Level 1
Level 1
In response to Jatin Katyal

‎06-19-2013 08:23 AM

I have done the authorization rule and it works, the problem is people that are not in the admin group in AD can still log into the switches/routers. Is there not a way to stop them from being able to log in at all?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to network_guy

‎06-19-2013 08:27 AM

What does your default policy say (deny or permit)? If it says deny and other users still have access to devices then please go to tacacs authentication, clcik on the magnifying glass and check what authorization rule is that request going through.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
network_guy
Level 1
Level 1
In response to Jatin Katyal

‎06-19-2013 08:46 AM

Thanks Jatin. I didn't even look at the default policy. Thanks a lot. That was the problem.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to network_guy

‎06-19-2013 08:48 AM

Your welcome

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents