Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
197
Views
0
Helpful
1
Replies

Misconfigured ACS 5.5 allowing VPN users to log on to switches.

jamescox3
Level 1
Level 1

‎08-28-2014 06:10 PM - edited ‎03-10-2019 09:58 PM

I've recently inherited an ACS 5.5 server that was upgraded from 4.1 a few weeks ago before I joined the company.

 

While digging through the config I noticed a lot of local users in a VPN group and while testing my credentials I found that I was able to use my VPN credentials to SSH in to my switches.

 

It appears that little work was done one the migration was complete. I believe that the issue resolves around the default policy being set to permit any user. Currently there are rules to all our admin group to access our APC devices and a 2nd rule for the admin group to access the switches, but because of the default permit any any VPN user can also access any of the network devices.

 

It's been a few years since I setup a "new" 5.x ACS server and in the past I was using AD mappings to restrict the VPN users to only the VPN, and I'm feeling a bit rusty on how to correct this.

Labels:
0 Helpful
1 Reply 1

Peter Koltl
Level 7
Level 7

‎08-31-2014 02:15 PM

RADIUS or TACACS+ ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents