Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
5
Helpful
2
Replies

Radius AAA authentication for only group of users

Go to solution
jazzzz
Level 1
Level 1

‎04-21-2004 09:26 PM - edited ‎03-10-2019 07:46 AM

Hi,

I'm using ACS3.1 and trying to use radius authentication for all the network switches in my company.

The problem im encountering now is how to restrict only a group of user to have login/exec access to the switches ? It seems that all the user ids in my acs able to telnet (user access) to the switch (using their login credentials).

I would like to restrict all even from telnetting using their ids except administrator group.

Any advise on how this can be achieved.

Tks !!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-22-2004 04:06 PM

On ACS you'll have to put the admin users into their own separate ACS group, leaving the other users in their own group also.

Modify the group containing the users you don't want to give access to, and under the Network Access Restriction (NAR) section, in "Per Group Defined Network Access Restrictions", check the "Define IP based access restrictions", choose "Denied calling point" and enter the switches in the table below (put an * in for Port and Address).

This will disallow all your standard users from authenticating to the switches. You can add all your switches into a Network Device Group (NDG) so that then you only have to add that into the NAR section rather than add each switch in individually.

View solution in original post

2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-22-2004 04:06 PM

On ACS you'll have to put the admin users into their own separate ACS group, leaving the other users in their own group also.

Modify the group containing the users you don't want to give access to, and under the Network Access Restriction (NAR) section, in "Per Group Defined Network Access Restrictions", check the "Define IP based access restrictions", choose "Denied calling point" and enter the switches in the table below (put an * in for Port and Address).

This will disallow all your standard users from authenticating to the switches. You can add all your switches into a Network Device Group (NDG) so that then you only have to add that into the NAR section rather than add each switch in individually.

Go to solution
jazzzz
Level 1
Level 1
In response to gfullage

‎04-22-2004 05:38 PM

Great it works.. Tks for your help.. !!

0 Helpful
Customers Also Viewed These Support Documents