08-21-2013 03:23 PM - edited 03-10-2019 08:48 PM
Hello,
I've been struggling to find out why our ACS deployment allows everyone within AD to login to our devices. They are not able to do anything because of the command authorization but I don't understand why EVERYONE is allowed in when I specified a specific group to only be allowed access. That group is allowed full access which is fine but it still bothers me that anyone on our domain can just log in period.
Any thoughts? Thanks.
Matt
Solved! Go to Solution.
08-21-2013 08:59 PM
Hello Matt,
Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.
Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)
Check my blog at http:laguiadelnetworking.com and subscribe so you can get daily information about networking.
Cheers,
Julio Carvajal Segura
08-21-2013 08:59 PM
Hello Matt,
Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.
Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)
Check my blog at http:laguiadelnetworking.com and subscribe so you can get daily information about networking.
Cheers,
Julio Carvajal Segura
08-21-2013 11:28 PM
Much like the previous user said, you will need to check your default policy is set to deny.
Sent from Cisco Technical Support iPad App
08-25-2013 12:09 PM
Do you still have any questions??
Otherwise mark the question as answered
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
08-26-2013 09:22 AM
Identity was already set to drop, the way to fix my issue actually was to CREATE a deny policy under authorization.
08-28-2013 11:56 AM
The IP addresses and subnet masks that are associated with the network device. Select to enter a single IP address or to define a range.
for the steps to get the job done please go through the link below:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: