Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
5
Replies

ACS 5.4 AD Integration Allows All Users

Go to solution
matt.nasi
Level 1
Level 1

‎08-21-2013 03:23 PM - edited ‎03-10-2019 08:48 PM

Hello,

I've been struggling to find out why our ACS deployment allows everyone within AD to login to our devices.  They are not able to do anything because of the command authorization but I don't understand why EVERYONE is allowed in when I specified a specific group to only be allowed access.  That group is allowed full access which is fine but it still bothers me that anyone on our domain can just log in period.

Any thoughts?  Thanks.

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-21-2013 08:59 PM

Hello Matt,

Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.

Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)

Check my blog at http:laguiadelnetworking.com  and subscribe so you can get daily information about networking.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-21-2013 08:59 PM

Hello Matt,

Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.

Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)

Check my blog at http:laguiadelnetworking.com  and subscribe so you can get daily information about networking.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Julio Carvajal

‎08-21-2013 11:28 PM

Much like the previous user said, you will need to check your default policy is set to deny.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-25-2013 12:09 PM

Do you still have any questions??

Otherwise mark the question as answered

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
matt.nasi
Level 1
Level 1

‎08-26-2013 09:22 AM

Identity was already set to drop, the way to fix my issue actually was to CREATE a deny policy under authorization. 

0 Helpful

Go to solution
blenka
Level 3
Level 3

‎08-28-2013 11:56 AM

The IP addresses and subnet masks that are associated with the network device. Select to enter a single IP address or to define a range.

for the steps to get the job done please go through the link below:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/net_resources.html#wp1060126

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents