Blocking Tacacs users from Cisco devices

chris.wood11 · ‎03-18-2016

Hi,

I am in the process of configuring policies for a new ACS 5.7 rollout. We have a variety of devices, not just Cisco and I need to configure policies that will allow groups of users ONLY to those specific devices they are allowed to log onto and not onto the Cisco switches/routers.

Our old ACS 4 server manages this but I have been unable to work out how as there is nothing obvious on the policy! Ideally I don't want to use defined device groups to use as filtering in the policy as this would be awkward due to the size of the estate.

I had thought that in the shell profiles for these users, setting the privilege level to 0 (zero) with the 'DenyAllCommands' command set would work, but it still allows them to logon to cisco devices in testing.

Is there another way of doing this that I haven't yet thought of??

thanks

chris

Javier Henderson · ‎03-18-2016

Chris,

Configure the devices to require exec authorization, then configure ACS to deny authorization to those users that don't meet a required criteria (i.e., lack membership on an AD group, etc).

Javier Henderson

Cisco Systems

chris.wood11 · ‎03-18-2016

Thanks, the users will be local. All cisco device are (or should be) configured with AAA but reconfiguring them is out of the question because of the number of them. The other devices are Bluecoats/BigIP's etc which they should only be able to access.

Javier Henderson · ‎03-18-2016

When you say they're configured for AAA, are they already configured for authorization?

chris.wood11 · ‎03-18-2016

Yes they are. ta