11-05-2012 09:06 AM - edited 03-10-2019 07:44 PM
Can anyone help me figure out what I have wrong or have missing?
I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
All the logins hit the Admin account, even though the id in AD is not in the that AD group. I have something screwed up.
Solved! Go to Solution.
11-05-2012 01:42 PM
Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.
Thanks,
Tarik Admani
*Please rate helpful posts*
11-05-2012 01:42 PM
Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.
Thanks,
Tarik Admani
*Please rate helpful posts*
11-08-2012 09:28 AM
Thank you. I found the problem with your assistance. Had the permit set. Then set it to DenyAccess.
01-29-2013 05:36 PM
I have a similar setup but i do not see a deny access authorization profile to use for the default. can you explain how you set the default to deny access
01-29-2013 05:42 PM
Under authorization, check the check box for default, click on Edit and select the deny access profile.
Regards
Minakshi (do rate the helpful post)
01-29-2013 05:46 PM
Somthing must be broken for my install of 5.4 because i do not have a deny access authorization profile.. only permit access
01-29-2013 05:58 PM
UG never mind.. you have to acctually click on select button to see the deny access profile which does not show up in the policy elements.. thanks man it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide