cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1103
Views
0
Helpful
6
Replies

Cisco ACS 5.3 - How to only allow specific AD groups to login

jeff.ortega
Beginner
Beginner

Can anyone help me figure out what I have wrong or have missing?

I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.

This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.

My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.11-5-2012 11-02-03 AM.jpg

All the logins hit the Admin account, even though the id in AD is not in the that AD group.  I have something screwed up.

1 Accepted Solution

Accepted Solutions

Tarik Admani
Advocate
Advocate

Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

6 Replies 6

Tarik Admani
Advocate
Advocate

Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thank you.  I found the problem with your assistance.  Had the permit set. Then set it to DenyAccess.

dpatzold1979
Beginner
Beginner

I have a similar setup but i do not see a deny access authorization profile to use for the default. can you explain how you set the default to deny access

Under authorization, check the check box for default, click on Edit and select the deny access profile.

Regards

Minakshi (do rate the helpful post)

Somthing must be broken for my install of 5.4 because i do not have a deny access authorization profile.. only permit access

UG never mind.. you have to acctually click on select button to see the deny access profile which does not show up in the policy elements..  thanks man it worked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers