10-31-2007 02:48 AM - edited 03-10-2019 03:29 PM
Hi All
I need your help. I have to configure the ACS Server so that the network administrators can use their windows/Domain accounts to login to the network switches and routers. I have created 2 groups, one is the general and the other one is for network administrators. The problem is that, when I have created the accounts on the ACS server, it works fine. Like the network admin group is able to login to the switches while the other group users are not able to login to the switches. When I try to use the windows accounts that I have mapped to the groups, the network admin and other general group users both are able to login to the switches. Tell me how I can configure the policy to restrict the general group users (especially windows one) to not login to the switches. All other settings for both groups are by default. The general group has the following policy.
Per Group Defined Network Access Restrictions; Denied access to all AAA clients.
Please tell me the way to configure such thing.
Thanks
10-31-2007 03:26 AM
Hi,
In ACS under External User Database -- Database Group Mappings -- Windows Database -- Default -- Edit group mapping for Domain : \DEFAULT -- All other combinations -- Select the CiscoSecure Group as
tnx,
somishra
11-02-2007 05:48 AM
Hi,
I have to use the default group for wireless authentication. please tell me the other way to do so.
I want to implent the polciy so that the default gropup users cannot access the network devices.
Thanks
11-02-2007 12:55 PM
Are Administrators that you want to have access to network devices, are they a member of some separate group on AD, then the normal users?
If they are, then only MAP that group to the Net Admin group on ACS, and map all other combination to the wireless group.
And in the Wireless group configure IP based NAR (not the CLI/DNIS based NAR).
And IP based NAR should be,
All AAA client
Port : *
Address : *
So what will happen is, users other then Network Admins, will go in the Wireless group, and will be able to access wireless, but will be denied access to any network device for administration.
And on the other hand, network admins will be allowed to have access to network devices and the wireless access.
So the key is proper group mapping and the NAR.
Regards,
Prem
04-28-2008 03:02 AM
I am in a similar predictament, did you get this solved?
Thanks
Ali
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide