cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

462
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ACS 5.2: Device access and Network Access

Everyone,

I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+.  We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network.  We are using Active Directory for the backend user database and have assigned the users to different groups in AD.  We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN.  The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this.  Is there a policy or config change that we will need to make for this?

Thanks for any help you can provide.

JC

Everyone's tags (3)
3 REPLIES 3
Highlighted
Advocate

Cisco ACS 5.2: Device access and Network Access

Hi,

You are sending back the wrong attributes for all user in your condition, my suggestion would be to leverage the Service-Type Radius attribute to determine which user can get the av-pair for administrative access.

The service-type attribute for dot1x users should be "framed" for admin login it should be "Login". You should be able to see this in the monitoring and reports section. Once you find this attribute then couple this with domain user group to build the correct policy.

You can also switch and use tacacs for your WLC (are these Cisco)? If so then the attribute role1=ALL should be sent back.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Cisco ACS 5.2: Device access and Network Access

These are Cisco WLCs. I will try these sugguestions. I will have to wait until after hours to make the change to the WLC policy as this will knock the users off the WLAN.

Highlighted
Advocate

Cisco ACS 5.2: Device access and Network Access

That will work and good luck!

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*