03-05-2013 11:43 PM - edited 03-10-2019 08:09 PM
Does anyboby knows how to restrict a tacacs user from logging-in to another device? Our company has a manufacturing in many location arround the world and we wanted to restrict all of our engineers base on their geographic locations. For Example Network Engineers base on Asia is restricted to access all the devices that are in the US but US Engineers needs to have access to all the devices that are installed in different locations. I'm using Cisco Secure ACS 5.3 and I'm not able to acheive it. The test account that I've created that's belong to certain group (i.e. ASIA) can login to a set of device that are located in the US with read-access but don't have write access because of the restriction that I've created. What I wanted is for this test user to block its access to those device located in the US.
Solved! Go to Solution.
03-06-2013 12:14 AM
well, lets asume that you have created two locations US and Asia
you have defined two AAA clients US1 and Asia1
also you have two identity groups USgroup and Asiagroup
1)If a user is trying to access Asia device from USgroup should be rejected
2)If a user is trying to access US device from Asiagroup should be rejected as well
else access is granted
so you should customize the authorization policy under device admin access service
to include identity group and NDG:location as conditions where in the result you can put
what ever shell profile or command set you want.
Rule 1 : Usgroup NDG:location is US grnat access with shell profiles and command set needed
Rule 2 : Asiagroup NDG:location us Asia grant acccess with shell profiles and command set needed
default : deny access
----------------------------------------------------------------------
Please make sure to rate correct answers
03-06-2013 12:14 AM
well, lets asume that you have created two locations US and Asia
you have defined two AAA clients US1 and Asia1
also you have two identity groups USgroup and Asiagroup
1)If a user is trying to access Asia device from USgroup should be rejected
2)If a user is trying to access US device from Asiagroup should be rejected as well
else access is granted
so you should customize the authorization policy under device admin access service
to include identity group and NDG:location as conditions where in the result you can put
what ever shell profile or command set you want.
Rule 1 : Usgroup NDG:location is US grnat access with shell profiles and command set needed
Rule 2 : Asiagroup NDG:location us Asia grant acccess with shell profiles and command set needed
default : deny access
----------------------------------------------------------------------
Please make sure to rate correct answers
03-11-2013 12:28 AM
Thanks Maldehne for the information.the issue has been solved, my team who is previously working to that have the restriction per location created another Access Service Device admin profile that's why it is not working even though i have already setup the rules that I have that are the same rules that you have mention. What I did is delete the
Access Service Device admin profile and add a rules on the existing Access Service Device admin profile and this solved the issue
Thanks,
Erwin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide