Re: ACS LDAP authenication - restrict to only certain LDAP users

greg.fuller · ‎11-21-2008

I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.

I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.

Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.

Can I create an LDAP filter someplace in ACS that specifies only XXX users can

authenticate against LDAP and to deny all other users?

Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.

I'm running ACS v4.2.0.124.

Collin Clark · ‎11-21-2008

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6

Hope that helps.

ACS LDAP authenication - restrict to only certain LDAP users?