Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
5
Replies

ACS limit connections

jeffshively
Level 1
Level 1

‎05-01-2007 04:56 AM - edited ‎03-10-2019 03:07 PM

Good morning.

We have the ACS Security Appliance and it is on version4.1(1) Build 23 Patch 4.

I am in the process of setting up a couple of NDGs. One of the NDGs I would like to have for our key routers and the other for our switches. The switches will have a command authorization set that allows our desktop personal to bring up and down ports.

Currently I have it for the routers that desktop can not issue any commands and no level when they log in but I would like to stop them from even being able to log in. Is this feasible?

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎05-01-2007 05:20 AM

Jeff,

What you are trying to achive can be done using Network access restriction.

A condition specified in NAR needs to be met before a user can access any device in the network. Please refer to the link given below for more information on implementing NAR's in ACS :

*Setting Network Access Restrictions for a User Group*

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

*Network Access Restrictions White Paper*

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Hope that helps !

0 Helpful

jeffshively
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-01-2007 05:36 AM

I will definately check that out. Thank you!!!

0 Helpful

jeffshively
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-01-2007 05:53 AM

Reading through the documentation is there a way to do it by a group?

For example, I have a group called Desktop and desktop can only access NDG A and B but not NDG C and my group Full_Access has access to A,B, and C.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to jeffshively

‎05-01-2007 06:04 AM

Yes, you can set it up on group level,

1) On ACS go to Group Desktop.

2) Edit Group

3) Jump to Access Restriction

4) On Per Group Defined Network Access Restrictio, enable IP based access restriction.

5)On aaa-clients drop down choose your NDG ( the one your want user should have access ie NDG a , b )

6)For Port and IP address use *

7)Choose condition Permit.

Now Desktop group will ONLY have access to A, B NDG. Rest all is denied.

For admin group do not set any NAR, so that they can browse whole network.

Thanks

0 Helpful

jeffshively
Level 1
Level 1
In response to Jagdeep Gambhir

‎05-01-2007 06:09 AM

Again thank you very much!

Thankfully found out they needed this done before go live date.

0 Helpful
Customers Also Viewed These Support Documents