Solved: Cisco ACS restrict a user to specific routers

JohanKardell · ‎10-12-2011

Hi

We have ACS v3.2 in our network, I have created a new user and added it to a group, is there a way in that group to specify which network routers / switches the user is able to telnet into, with a some sort of ACL or something? I have read something about:

Network Access Filter (NAF)

which is available in 4.0, do I need to upgrade to be able to accomplish this?

I tried to set a Per Group Defined Network Access Restrictions, but this seems to be from which network you are telenting from?

Sorry, please have patience, I'm new on ACS

THANKS!

technotony · ‎11-10-2011

Hi,

I am using ACS v4.2 so not sure if you will have the same features but can you select the NDG your routers reside in under Per Group Defined Network Access Restrictions > AAA Client drop down list? if so just select each NDG you want that group to have access to and enter * in Port and * in Address. This will allow any IP address to be able to telnet/ssh to the devices in each NDG you enter.

If you wish you can control which IP addresses can access your routers by placing an access list on each router (saves messing with ACS if you are not that familiar with it).

Hope this helps...

Tony

View solution in original post

technotony · ‎11-10-2011

Hi,

I am using ACS v4.2 so not sure if you will have the same features but can you select the NDG your routers reside in under Per Group Defined Network Access Restrictions > AAA Client drop down list? if so just select each NDG you want that group to have access to and enter * in Port and * in Address. This will allow any IP address to be able to telnet/ssh to the devices in each NDG you enter.

If you wish you can control which IP addresses can access your routers by placing an access list on each router (saves messing with ACS if you are not that familiar with it).

Hope this helps...

Tony

JohanKardell · ‎11-10-2011

Thanks! I'll try that!