ACS - Network Access Restrictions

juamaya · ‎07-26-2004

Hi,

All my users are in Active Directory. I can authenticate users (VPN, RAS and telnet) towards Radius server in ACS and now I need to control what they can access.

Does anyone have tips on how configuring NAR so:

- Net Admin users can telnet/ssh/http network devices

- VPN users can VPN into PIX

- RAS users can dial up with PPP?

In this case, some users profiles overlap. I mean

1. I am the net admin who can telnet/ssh/http the routers and must be able to VPN into the PIX.

2. Office users must be able to VPN in or Dial UP.

3. Remote routers can dial Backup to specific RAS servers.

Any tip about how I can create those "IP-based restrictions" or "CLI/DNIS access restricions" is appreciated.

Thanks!

pradeepde · ‎07-30-2004

The following document should give you a better idea

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/nac.htm

chandlerbr · ‎09-17-2004

Map the AD users to ACS Groups. As new users log in for the first time, they should get placed in the appropriate ACS group. You can manually move any user that has logged in and is in the ACS Default group.

Then in the ACS Group properties, allow the group to access to individual network devices, or Network Device Groups. You might want to take a look the Shared Profile Components in ACS as well. Pretty good stuff.

hth

chuankee · ‎09-21-2004

Hi Chandler,

I am working on the same requirement. Do you happen to have the detailed configuration which you can share with us ?

Cheers

htaluja01 · ‎10-10-2004

Create NDGs [network device groups] and map what user/groups have access to what Ndgs