02-23-2007 11:16 AM - edited 03-10-2019 03:00 PM
We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.
The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?
Confusing I know.
02-23-2007 11:30 AM
Hi,
A user can be part of a single group only. The first group which is encountered in Active Directory will be used for Group mapping into ACS.
What you can do is add the tacacs attributes in the user profile for your username. This way you will have the Remote Access and also be able to login to the switch.
Regards,
Vivek
02-23-2007 12:30 PM
But since I don't actually have a username in ACS and it's coming from AD, how would go about adding the TACACS details to it? Wouldn't it be a dynamic user that would go away after awhile?
02-23-2007 12:34 PM
Raun,
Dynamic users do not go away after a while. Anyways another thing which can be done is add the user manually in ACS and set it to authenticate to Windows Database.
This way the use is no more a "dynamic" user.
Regards,
Vivek
02-23-2007 07:14 PM
I have been working on similar issues and the product is quite confusing. I think the way it works is you match the first group top down. You have 500 groups to work with so I think you need to create a group that has rights to both remote access and what you now call tacacsadm. Maybe call it NetAdmin and give that a try.
02-24-2007 02:13 PM
Hello,
you can solve your problem with the feature Network Access Profile. With this feature you can assign one user to different groups.
You must create two Network Access Profiles (profile_remote_access, profile_tacacs_admin)-
with different protocol types (radius for remote access, tacacs for administration).
Look at
regards
alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide