Re: TACACS - how does one prevent users from accessing certain N

ACALLAGHAN · ‎06-05-2002

I have been trying to prevent certain users/groups from accessing certain devices but without any success. Under Network configuration I have defined a catch all group using a 0.0.0.0 address for the network access server IP address. Under the user settings I have ticked the box for Network Access Restrictions and defined the IP address of the router that I want to restrict access to. I have used a wildcard entry for the port number. When I use the "Denied Calling/Point of Access locations" I can get to the defined device and every other device on the network. When I use the permitted option I cannot get to any device! I have tried to set up the device under Network configuration so that it would appear in the drop down box under Network Access Restrictions User settings option but this has not made any difference. Does anyone know a quick and easy way to do this?

Also does anyone know how what all the privilege levels mean? has anyone used the IOS commands restrictions - I cannot get that to work either. I need some good documentation!

yusuff · ‎06-07-2002

Few URLs for Network Access Restrictions.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/n.htm#xtocid1891219

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/g.htm#xtocid119798

HTH

R/Yusuf

donaghq_2 · ‎06-20-2002

Thank You for your reply but unfortunately one of these articles refers to ACSv3.0 (I am running v2.6) and the other explains what I have already done but does not work. Thanks anyway.

bstillman · ‎06-20-2002

Under User Setup, Network Access Restrictions, select the access server from the pull down that you want to deny or permit access to. Put an '*' in both the Port and Address fields and click the button. As far as choosing Permitted or Denied Calling/Point of Access Locations, you want to choose the option that will minimize the number of entries you have to input. I have used this feature in version 2.4, 2.5, 2.6, and 3.0 and it works.

As for privilege levels, Cisco has made provisions in IOS where you can assign different commands to a privilege level. Therefore, you can control who can do what on the based on privilege levels. You can also accomplish this on the ACS servers by specifying the IOS Commands the user is able to execute.

Hopefully this has helped.

donaghq_2 · ‎06-24-2002

Thank you for your response. Your suggestion works but just in addition (for other people wanting to implement this!) you need to make sure that you specify the source ip address that will be used in conjunction with Tacacs i.e.

IP Tacacs source-interface loopback0 (or whatever interface you want)

When you set up the server you need to make sure that the IP address is the same as you specified above. Therefore when you choose the server with * for address and port number the "permitted calling point of access" option has an implicit deny and the "denied calling point of access" option has an implicit permit.

As for assigning privilege levels I would like to A. know what the different levels mean and B. know how to implement them in the config of the ACS.

Anymore help would be greatly appreciated.

bstillman · ‎07-02-2002

The privilege numbers between 1 and 15 are user definable. You will have to specify the levels in each router that you want this to be enforced on. Then in the ACS server, you can specify a max privilege level on a per user basis or at the group level. For example, if you perform a 'ping' from a router # prompt, the default privilege level is 1. If you want to change this to privilege level 5, here is the command for the router:

privilege exec level 5 ping

Then, in the ACS server, under the user or group settings, set the max privelege level to 5. Test and make sure the user is able to ping. To verify the max privelege level is working properly, try setting the max privelege level to 4, and the user should not be able to ping.

TACACS - how does one prevent users from accessing certain NAS?