Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
3
Replies

specific AD users for specific network devices

Kn1ghtR1d3rOfD00m
Level 1
Level 1

‎04-11-2018 07:38 PM - edited ‎02-21-2020 10:53 AM

Hi,

 

I have ACS 5.8.0 and we have two AD groups,

 

- full_access where all network admins are added for all the network devices clients where they can configure, reload, etc

 

- monitor_access where like NOC, can do just like a show commands only for all the network devices

 

the question is, we have a seperate group, lets say PBX team where we have the network devices added already, but they need to access via ACS ONLY to the specific PBX devices (VGs routers, etc) but not all network devices/

 

is there any tutorial on how to allow lets say 5 people out of 50 network admins just to login to 5 routers (not all the network devices) ?

 

Thank you so much fof your assistance, 

Labels:
0 Helpful
3 Replies 3

Octavian Szolga
Level 4
Level 4

‎04-12-2018 01:48 AM

Hi,

 

There are many ways you can do it. One way would be use the existing hierarchy for your network devices (Device Type and Device Location are by default I think).

 

In your case, just edit Device Type and create a subtype like PBX.

Edit your PBX devices to have the device type set to PBX.

 

Create an authorization policy like:

If AD External Group = PBX_GROUP AND Network Device - Device Type = PXB then SHELL_PROFILE

 

Your PBX_GROUP would be allowed to connect only to those device because it won't match your upper NOC and FULL_ACCESS groups. If they try to connect to any other non-PBX device type they'll  match the default no access authorization rule.

 

Just as a quick note, you can create your own hierarchy of device classification. It's up to you to create any other tree and use it in authorization rules.

 

Regards,

Octavian

0 Helpful

Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to Octavian Szolga

‎04-12-2018 06:38 AM

Thank you so much for your reply, 

 

Let me explore that option and I will set it up mostly this weekend and I will let you know asap, 

 

If I have questions, I will let you know, 

 

thanks again, 

0 Helpful

ajc
Level 7
Level 7
In response to Kn1ghtR1d3rOfD00m

‎04-13-2018 05:15 PM

Only problem could be that if any of them belong to another AD Group that is part of additional AUTHZ Policies then they would hit those policies instead of the one you want. AUTHZ policies are checked from top to bottom (sequentially)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents