Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
1
Replies

How to require user group membership to access via a given NAS?

Christopher Ursich
Level 1
Level 1

‎03-04-2004 10:57 AM - edited ‎03-10-2019 07:41 AM

I am attempting to configure our new ACS (Release 3.2(1) Build 20) as the RADIUS server for several network access servers.

For simplicity, suppose I have only two NASes, a switch and CiscoWorks VMS. A user might deserve access to one, the other, both or neither.

No users are defined on the ACS itself. All user authentication & authorization info is stored in our LDAP. Since the users are external to ACS, they are mapped to an ACS group whenever they attempt to gain access through a NAS. This mapping is based on their memberships in LDAP groups. They are always mapped to a *single* group because the ACS does not support the idea of users being in multiple groups. Consequently, I had to create 4 ACS groups for the combinations of LDAP group memberships: Switch+VMS, Switch+noVMS, noSwitch+VMS, noSwitch+noVMS. By making this the mapping order, I can guarantee that a user will land in the correct ACS group for their combination of rights.

Now I need to configure the ACS so that when a request arrives from the switch, access is granted if the user is in Switch+VMS or Switch+noVMS, but not if the user is in noSwitch+VMS or noSwitch+noVMS. I need to do the analogous thing for VMS. How do I do that?

I have tried using Shared Network Access Restrictions to accomplish this. I created two NARs, nar_NASisSwitch and nar_NASisVMS. For nar_NASisSwitch, I turned on "Defined IP-based access restrictions" and "Table defines Permitted Calling/Point of Access Locations." I added the switch from the list of defined AAA clients, and used all ports and all Src IP Addys ("*" and "*"). I did the analogous thing for nar_NASisVMS.

Next I added these NARs to the groups. The example below is for Switch+noVMS.

Shared Network Access Restrictions

[X] Only allow network access when

( ) All selected NARs result in permit

(X) Any one selected NAR results in permit

NARs Selected NARs

--------- ------------------

nar_NASisVMS nar_NASisSwitch

Here is the problem: Suppose a user has access to the switch but not to VMS. When he attempts to log in through VMS, he is correctly mapped into the Switch+noVMS ACS group. The NAR is then checked. Unfortunately, the NAR simply says "permit if NAS is Switch"-- it does NOT say DENY OTHERWISE. When I check the Passed Authentications log, the message is:

"Access Filter nar_NASisSwitch from Switch+noVMS did not fail any criteria. This is sufficient to satisfy an 'Any Selected' SPC NAR config."

and the user is permitted access through VMS even when he shouldn't be.

Another alternative is to use "deny" NARs instead of "permit" ones. Unfortunately, that would mean that I'd have to revisit every NAR every time I added a new device.

So, how can I configure the ACS so that when a request arrives from the switch, access is granted if the user is in Switch+VMS or Switch+noVMS, but not if the user is in noSwitch+VMS or noSwitch+noVMS? That is, how do I *link* a NAS to the set of groups, such that the user must be a member of one of them before access can be granted?

Thanks very much,

Chris

Labels:
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎03-10-2004 07:18 AM

Check if this document is of any help.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch3.htm

0 Helpful
Customers Also Viewed These Support Documents