Cisco ACS 5.2: Device access and Network Access

jesse.cloy · ‎10-16-2012

Everyone,

I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+. We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network. We are using Active Directory for the backend user database and have assigned the users to different groups in AD. We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN. The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this. Is there a policy or config change that we will need to make for this?

Thanks for any help you can provide.

JC

Tarik Admani · ‎10-16-2012

Hi,

You are sending back the wrong attributes for all user in your condition, my suggestion would be to leverage the Service-Type Radius attribute to determine which user can get the av-pair for administrative access.

The service-type attribute for dot1x users should be "framed" for admin login it should be "Login". You should be able to see this in the monitoring and reports section. Once you find this attribute then couple this with domain user group to build the correct policy.

You can also switch and use tacacs for your WLC (are these Cisco)? If so then the attribute role1=ALL should be sent back.

Thanks,

Tarik Admani
*Please rate helpful posts*

jesse.cloy · ‎10-16-2012

These are Cisco WLCs. I will try these sugguestions. I will have to wait until after hours to make the change to the WLC policy as this will knock the users off the WLAN.

Tarik Admani · ‎10-16-2012

That will work and good luck!

Tarik Admani
*Please rate helpful posts*