10-16-2006 06:27 PM - edited 03-10-2019 02:47 PM
Relevant background: Win2k3 Active Directory used for passwords, usernames/groups local to ACS (version 4.0), mixture of 2960s, 4900s, 6500s.
Goal: I'm trying to lock down a small set of users (2-4) to have read-only access to a few switches, and zero access to any other.
Current: I have the switches I want this group to access in a Network Device Group (NDG). The users are also in a group. I have given them read-only access. However this group can log into other NDGs' member switches. When they get in they have no enable access, but they can poke around a little bit, and to be honest it would just be cleaner if they couldn't log in at all.
I'm not interested in locking them down via IP, time, or anything other than their group within ACS. Is this even possible?
10-20-2006 08:12 AM
If you go to Interface Configuration->Advanced options, there is an option "Group-Level Network Access Restrictions". If you check that, then under each group you can define what devices members can authenticate on. Within your read-only group, you can go to the section "Per group defined network access restrictions" and specify which hosts the users can authenticate to. You can also limit them by their source IP, but if you put * in the ip and port field then those users can connect from anywhere just to the hosts you specify.
-Eric
Please remember to rate all helpful posts.
10-26-2006 04:49 PM
Muchas thanksas man, that worked just fine. In order to get a little "solved" star, I should add that one must then apply the NAR under the group settings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide