cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
3
Replies

Cisco ACS 5.2: Device access and Network Access

jesse.cloy
Level 1
Level 1

Everyone,

I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+.  We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network.  We are using Active Directory for the backend user database and have assigned the users to different groups in AD.  We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN.  The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this.  Is there a policy or config change that we will need to make for this?

Thanks for any help you can provide.

JC

3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You are sending back the wrong attributes for all user in your condition, my suggestion would be to leverage the Service-Type Radius attribute to determine which user can get the av-pair for administrative access.

The service-type attribute for dot1x users should be "framed" for admin login it should be "Login". You should be able to see this in the monitoring and reports section. Once you find this attribute then couple this with domain user group to build the correct policy.

You can also switch and use tacacs for your WLC (are these Cisco)? If so then the attribute role1=ALL should be sent back.

Thanks,

Tarik Admani
*Please rate helpful posts*

These are Cisco WLCs. I will try these sugguestions. I will have to wait until after hours to make the change to the WLC policy as this will knock the users off the WLAN.

That will work and good luck!

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: