Restrict User to specific NAS if only default NAS profile is configured

Unanswered Question
Nov 9th, 2007


I use ACSWin4.1/tacacs+ and I want to restrict shell-users to specific NAS without defining all the NAS on the ACS server. I have only defined very few NAS profiles and the <other>-NAS-profile on the ACS-server because I do not like to maintain thousands of NAS profiles on the ACS.

I get this working on the old CSU without problems by using NAS-names and wildcards (worked over configured hostname/DNS-name of the NAS) like NAS:"customer-.*" (Routername: customer-router1,..).

Is there any solution for ACSWin4.1 to get such a function or at least to enter ip/masks instead of defining every nas and making big NDGs.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 11/14/2007 - 10:46

You can do this, but you'll have to enter some of the devices into ACS, eg whichever you specifically need to permit or deny access to.

The NAR UI control doesnt allow you enter IP addresses - only select from device names already configured.

wagnerch Wed, 11/14/2007 - 21:29

I know this solution but this means for specific restricted users who needs many devices to define at least 50 NAS entries. So the solution is not as nice as my old solution used by CSU.

I now found another way by defining a specific nas which includes all ip addresses (or even ip-ranges are allowed for nas definitions) a specific restricted user needs, but this solution does not allow mixing another restricted user to a subset of the nas addresses of the first restricted user.

The problem is that this solution does not allow to mix restricted users easily.


This Discussion