Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

AAA:How to separate the group authentication on Switches through Radius/Tac

pemasirid
Level 1
Level 1

‎12-11-2007 09:33 PM - edited ‎03-10-2019 03:33 PM

Hi,

Currently my ACS is being integrated with AD and all the users can access my IOS devices (configured AAA). I only need one group in my AD to access my IOS devices and another group to use VPN access or any other authentications.

Can anyone tell me how to restrick all other groups in AD to access my network devices except one group in AD which I only want to allow access to my network devices.

Labels:
0 Helpful
3 Replies 3

vkapoor5
Level 5
Level 5

‎12-19-2007 06:37 AM

You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. Typically, you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port, connect from outside the network through a serial port, or connect through a terminal or workstation from within the local network

http://cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swauthen.html

0 Helpful

Alfredo Jurado
Level 1
Level 1

‎12-31-2007 04:00 PM

I wanted to do the same thing with the Active Directory where I only wanted on group called "network admin" to have access to my switches. I have 3 ACSs appliances and 100 switches. This is my setup.

On the ACS Create a "Network Device Group" under NETWORK CONFIGURATION. I called this group "TACACS+ Switches".Once the group is created add all your AAA clients which are your switches.

(you can accomplish that by first going under INTERFACE CONFIGURATION-click on "Network Device Groups" this will enable the ACS to allow you to create "Network Device Groups" also check the "Group-Level Access Restrictions")

Then click on GROUP SETUP. edit the 0:default group and disabled that group.Then select a agroup available from the group list and rename the group "Network Admin" and map that group against the AD group named "Network Admin".

Once that group is correctly mapped.Go back to GROUP SETUP and edit the "Network Admin" group.Within the group you will see an option called "Netwrok Access Restriction (NAR)"

Click the option DEFINE IP-BASED ACCESS RESTRICTIONS. From The AAA Client drop down menu select the "NDG:TACS+ SWITCHES" for the port enter "*" (asterick) for the address you can specified the the network in whic the switches are residing in my case I used "10.*.*.*" the wild cards will allow any network on the 10. network. then click "enter"

This is a high level overview on how I did my setup. Remember to properly define your AAA statement under your Cisco IOS switches.

I hope this help!!

0 Helpful

pemasirid
Level 1
Level 1
In response to Alfredo Jurado

‎03-11-2008 02:05 AM

Hi,

I did as above but still the proble same. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.

Let me tell you briefly my issue.

1. I need all users in AD to authenticate with AD username/password

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Attached are the ACS group mapping and NAR in group DeviceAdmin.

Appreciate if anyone can give me a clear steps for the above requirement please....

thanks

Preview file
216 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents