cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

858
Views
0
Helpful
6
Replies
Beginner

Cisco ACS 5.3 - How to only allow specific AD groups to login

Can anyone help me figure out what I have wrong or have missing?

I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.

This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.

My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.11-5-2012 11-02-03 AM.jpg

All the logins hit the Admin account, even though the id in AD is not in the that AD group.  I have something screwed up.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Cisco ACS 5.3 - How to only allow specific AD groups to login

Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

6 REPLIES 6
Highlighted
Advocate

Cisco ACS 5.3 - How to only allow specific AD groups to login

Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Beginner

Cisco ACS 5.3 - How to only allow specific AD groups to login

Thank you.  I found the problem with your assistance.  Had the permit set. Then set it to DenyAccess.

Highlighted
Beginner

Cisco ACS 5.3 - How to only allow specific AD groups to login

I have a similar setup but i do not see a deny access authorization profile to use for the default. can you explain how you set the default to deny access

Highlighted
Beginner

Re: Cisco ACS 5.3 - How to only allow specific AD groups to logi

Under authorization, check the check box for default, click on Edit and select the deny access profile.

Regards

Minakshi (do rate the helpful post)

Highlighted
Beginner

Re: Cisco ACS 5.3 - How to only allow specific AD groups to logi

Somthing must be broken for my install of 5.4 because i do not have a deny access authorization profile.. only permit access

Highlighted
Beginner

Re: Cisco ACS 5.3 - How to only allow specific AD groups to logi

UG never mind.. you have to acctually click on select button to see the deny access profile which does not show up in the policy elements..  thanks man it worked.