Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
4
Replies

How to separate the group authentication on Switches through Radius/Tacacs+

t4tauseef33
Level 1
Level 1

‎10-31-2007 02:48 AM - edited ‎03-10-2019 03:29 PM

Hi All

I need your help. I have to configure the ACS Server so that the network administrators can use their windows/Domain accounts to login to the network switches and routers. I have created 2 groups, one is the general and the other one is for network administrators. The problem is that, when I have created the accounts on the ACS server, it works fine. Like the network admin group is able to login to the switches while the other group users are not able to login to the switches. When I try to use the windows accounts that I have mapped to the groups, the network admin and other general group users both are able to login to the switches. Tell me how I can configure the policy to restrict the general group users (especially windows one) to not login to the switches. All other settings for both groups are by default. The general group has the following policy.

Per Group Defined Network Access Restrictions; Denied access to all AAA clients.

Please tell me the way to configure such thing.

Thanks

Labels:
0 Helpful
4 Replies 4

somishra
Cisco Employee
Cisco Employee

‎10-31-2007 03:26 AM

Hi,

In ACS under External User Database -- Database Group Mappings -- Windows Database -- Default -- Edit group mapping for Domain : \DEFAULT -- All other combinations -- Select the CiscoSecure Group as -- Submit

tnx,

somishra

0 Helpful

t4tauseef33
Level 1
Level 1
In response to somishra

‎11-02-2007 05:48 AM

Hi,

I have to use the default group for wireless authentication. please tell me the other way to do so.

I want to implent the polciy so that the default gropup users cannot access the network devices.

Thanks

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to t4tauseef33

‎11-02-2007 12:55 PM

Are Administrators that you want to have access to network devices, are they a member of some separate group on AD, then the normal users?

If they are, then only MAP that group to the Net Admin group on ACS, and map all other combination to the wireless group.

And in the Wireless group configure IP based NAR (not the CLI/DNIS based NAR).

And IP based NAR should be,

All AAA client

Port : *

Address : *

So what will happen is, users other then Network Admins, will go in the Wireless group, and will be able to access wireless, but will be denied access to any network device for administration.

And on the other hand, network admins will be allowed to have access to network devices and the wireless access.

So the key is proper group mapping and the NAR.

Regards,

Prem

0 Helpful

alibowluk
Level 1
Level 1

‎04-28-2008 03:02 AM

I am in a similar predictament, did you get this solved?

Thanks

Ali

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents