Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
8
Replies

Windows Groups Authentication with ACS

Go to solution
prekojo
Level 1
Level 1

‎11-17-2008 10:04 AM - edited ‎03-10-2019 04:11 PM

I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.

I configure my Cisco 3750 with the following commands for authentication.

aaa new-model

aaa authentication login NetworkAdmins group tacacs+ local

aaa authorization exec NetworkAdmins group tacacs+ local

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa session-id common

The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?

Thanks for the help!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-17-2008 10:44 AM

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-17-2008 10:44 AM

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

0 Helpful

Go to solution
prekojo
Level 1
Level 1
In response to Collin Clark

‎11-17-2008 12:02 PM

That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password.

Thanks again

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to prekojo

‎11-17-2008 01:18 PM

In your router/switch...

config t

line vty 0 4

privilege level 15

That should do it! You can't do it with firewalls, they force you to enter the enable password.

0 Helpful

Go to solution
prekojo
Level 1
Level 1
In response to Collin Clark

‎11-17-2008 01:22 PM

Excellent!! Is there anyway to do it per user instead of any vty session?

Thanks again!!!!

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to prekojo

‎11-17-2008 01:24 PM

Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.

0 Helpful

Go to solution
prekojo
Level 1
Level 1
In response to Collin Clark

‎11-17-2008 01:36 PM

Would you specify the authorizations groups using the following command then?

aaa authorization commands 3 NetworkUsers group tacacs+ local

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to prekojo

‎11-17-2008 01:43 PM

I do it in ACS. I've attached a little write up I did for reference. I hope it helps.

Preview file
98 KB
0 Helpful

Go to solution
prekojo
Level 1
Level 1
In response to Collin Clark

‎11-18-2008 06:19 AM

I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!

0 Helpful
Customers Also Viewed These Support Documents