09-06-2006 05:21 PM
Hi, My ACS server have many groups and unknown user policy defied to look up with external AD.
I want to restric a specific networking device access limited to users in a specific group.
What is happening now, if user is not in the ACS user list, ACS look in to AD and authenticate the users to that networking device.
It is a PIX with VPN client access, user have to vpn clinet in to this PIX to access the network behind the PIX.
Any advice will be much appreciated.
09-06-2006 10:20 PM
Use NAR (Network access restriction) - under group properities check field define IP-based access restriction and select - denied calling/point of access locations than select proper AAA client...
Check this for more details
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
M.
Hope that helps rate if it does
09-07-2006 04:52 PM
Hi,That won't help in my situation.
NAR would restrict access to selected list of networking devices for users in that group. This won't prevent users is our AD authenticate to the networking device because we have unknown user policy enabled to pass the authentication to AD.
Thanks for your support
09-09-2006 12:29 AM
It sounds like you may need to structure ACS a little. So you want to create a group called "VPN-CLNT" and drop those users in for VPN access to a PIX? They way I didn mine is since a user can only be a member of one grp then for each department I have subgrps I create vpn groups for each dept for instance (HR:RMT) and tie these users to users that need to VPN and have Wireless. But then I have the base (HR) group with a "deny" any created as a placeholder for future use such as Clean Access Every organization has their own way of doing it. But anyway r.perera is right about using NAR. But you do have to enable NAR on all the other groups to deny or permit authentication to your NAS devices. That's why I'm recommending that it would be a good time to plan out your layout so appling NARS won't be so painful and confusing. Hopefully that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide