How to separate the group authentication on Switches through Radius/Tacacs+

Unanswered Question
Oct 31st, 2007
User Badges:

Hi All

I need your help. I have to configure the ACS Server so that the network administrators can use their windows/Domain accounts to login to the network switches and routers. I have created 2 groups, one is the general and the other one is for network administrators. The problem is that, when I have created the accounts on the ACS server, it works fine. Like the network admin group is able to login to the switches while the other group users are not able to login to the switches. When I try to use the windows accounts that I have mapped to the groups, the network admin and other general group users both are able to login to the switches. Tell me how I can configure the policy to restrict the general group users (especially windows one) to not login to the switches. All other settings for both groups are by default. The general group has the following policy.

Per Group Defined Network Access Restrictions; Denied access to all AAA clients.

Please tell me the way to configure such thing.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
somishra Wed, 10/31/2007 - 03:26
User Badges:
  • Cisco Employee,


In ACS under External User Database -- Database Group Mappings -- Windows Database -- Default -- Edit group mapping for Domain : \DEFAULT -- All other combinations -- Select the CiscoSecure Group as -- Submit



t4tauseef33 Fri, 11/02/2007 - 05:48
User Badges:


I have to use the default group for wireless authentication. please tell me the other way to do so.

I want to implent the polciy so that the default gropup users cannot access the network devices.


Premdeep Banga Fri, 11/02/2007 - 12:55
User Badges:
  • Gold, 750 points or more

Are Administrators that you want to have access to network devices, are they a member of some separate group on AD, then the normal users?

If they are, then only MAP that group to the Net Admin group on ACS, and map all other combination to the wireless group.

And in the Wireless group configure IP based NAR (not the CLI/DNIS based NAR).

And IP based NAR should be,

All AAA client

Port : *

Address : *

So what will happen is, users other then Network Admins, will go in the Wireless group, and will be able to access wireless, but will be denied access to any network device for administration.

And on the other hand, network admins will be allowed to have access to network devices and the wireless access.

So the key is proper group mapping and the NAR.



alibowluk Mon, 04/28/2008 - 03:02
User Badges:

I am in a similar predictament, did you get this solved?




This Discussion