Allow access to only one device through ACS 4.2

GRANT3779 · ‎06-26-2013

Hi All,

I am running ACS4.2 and want to configure a group for access to only specific devices.

I have setup a group in AD and matched this to a group in ACS. Under Network configuration, I've added the device I want the users to access.

In group settings I've added the device under

Network Access Restrictions (NAR)

Is this correct and anything else I should be doing? When logging into the device I get authorisation failed. We have a group already setup for access to all devices which works fine, but I want this second group to be for only one device. Not sure where I'm going wrong with this.

The authentication is all done through AD.

Thanks

Jatin Katyal · ‎06-26-2013

You're at the right path. Seems issue with NAR settings. Could you please attach the screen shot from the group > NAR section. Also, what protocol is in use, tacacs or radius?

Jatin Katyal
- Do rate helpful posts -

~Jatin

GRANT3779 · ‎06-26-2013

Hi Sure,

See attached. T

Thanks

Jatin Katyal · ‎06-26-2013

need some correction there.

In AAA client section: clcik on drop down menu and select the device you want to allow access.

In the Port filed: type *

In the address field type *

click enter

hit submit + Restart

try again

Jatin Katyal
- Do rate helpful posts -

~Jatin

GRANT3779 · ‎06-26-2013

Hi,

If I go to Network Configuration there is already a group setup for what looks to be all devices - *.*.*.*

See attached.

I try to add a new group for my single device but it says it overlaps. Am I able to setup more than one group, or how do I configure a second group for just this one device?

Basically at the moment I have an Admin ACS group in AD which has all our admins in it and have access to all devices using *.*.*.*. I now want my restricted AD group to have access to only one device...y.y.y.y but still want the other admins to have access to all devices. Is this easily achieved?

es

Jatin Katyal · ‎06-26-2013

well, that's not a right practise. We should have device cerated either with an ip-range or subnet or single AAA client. With current settings you may not be able to configured NAR.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Jatin Katyal
- Do rate helpful posts -

~Jatin

GRANT3779 · ‎06-26-2013

Hi Jatin,

Appreciate the help. This was setup before my time...

Ok, so do you suggest removing the .*.*.*.* and start adding new groups for individual sets of devices, subnets? I guess this is best practice?

Thanks

Jatin Katyal · ‎06-26-2013

Yup, your understaning is correct, little time consuming though

Currently, it's wide open for all/any network devices with shared-secret protected.

Jatin Katyal
- Do rate helpful posts -

~Jatin

GRANT3779 · ‎06-27-2013

Managed to get this working by sorting into groups/subnets so thanks for the help with this.

Am I able to limit a group to only have access to certain commands, e.g create ephone-dn's etc..?

Thanks

Jatin Katyal · ‎06-27-2013

Good to know. Yup, you can here is a link to configure the same:

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Jatin Katyal
- Do rate helpful posts -

~Jatin