Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
3
Replies

ACS server v3.2 group based access control

r.perera
Level 1
Level 1

‎09-06-2006 05:21 PM

Hi, My ACS server have many groups and unknown user policy defied to look up with external AD.

I want to restric a specific networking device access limited to users in a specific group.

What is happening now, if user is not in the ACS user list, ACS look in to AD and authenticate the users to that networking device.

It is a PIX with VPN client access, user have to vpn clinet in to this PIX to access the network behind the PIX.

Any advice will be much appreciated.

Labels:
0 Helpful
3 Replies 3

m.sir
Level 7
Level 7

‎09-06-2006 10:20 PM

Use NAR (Network access restriction) - under group properities check field define IP-based access restriction and select - denied calling/point of access locations than select proper AAA client...

Check this for more details

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

M.

Hope that helps rate if it does

0 Helpful

r.perera
Level 1
Level 1
In response to m.sir

‎09-07-2006 04:52 PM

Hi,That won't help in my situation.

NAR would restrict access to selected list of networking devices for users in that group. This won't prevent users is our AD authenticate to the networking device because we have unknown user policy enabled to pass the authentication to AD.

Thanks for your support

0 Helpful

tom.shiba
Level 1
Level 1

‎09-09-2006 12:29 AM

It sounds like you may need to structure ACS a little. So you want to create a group called "VPN-CLNT" and drop those users in for VPN access to a PIX? They way I didn mine is since a user can only be a member of one grp then for each department I have subgrps I create vpn groups for each dept for instance (HR:RMT) and tie these users to users that need to VPN and have Wireless. But then I have the base (HR) group with a "deny" any created as a placeholder for future use such as Clean Access Every organization has their own way of doing it. But anyway r.perera is right about using NAR. But you do have to enable NAR on all the other groups to deny or permit authentication to your NAS devices. That's why I'm recommending that it would be a good time to plan out your layout so appling NARS won't be so painful and confusing. Hopefully that helps.

0 Helpful
Customers Also Viewed These Support Documents