How to seperate the user authentication on pix? (pix login and vpn auth)

Unanswered Question
Oct 15th, 2007
User Badges:

I have a pix and a secure ACS. Users connect to network with VPN on pix. They authenticate with ACS. Also when we telnet or ssh to pix they also authenticate with ACS. How to seperate them ? Im using windows database.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Premdeep Banga Mon, 10/15/2007 - 03:53
User Badges:
  • Gold, 750 points or more

map normal users to a separate group on ACS, and admin users to another

And on Normal group, apply NAR (IP-based NAR) to restrict access to all the network devices.

i.e., All AAA Clients, *, *

And do not apply anything on Admin group.



t4tauseef33 Wed, 10/31/2007 - 03:18
User Badges:


I have the same problem. I have did this one. but strange. ACS users adopt the policy but all the windows/domain users are able to login. How can i restrict the default group users (domain users only)to not login/access the network devices.

somishra Wed, 10/31/2007 - 03:28
User Badges:
  • Cisco Employee,


In ACS under External User Database -- Database Group Mappings -- Windows Database -- Default -- Edit group mapping for Domain : \DEFAULT -- All other combinations -- Select the CiscoSecure Group as No Access -- Submit




This Discussion