03-26-2008 12:04 AM
Hi,
We have ACS 4.1 Integrated with our AD which is in use for our WLAN Users (PEAP Authentication & Easy VPN). We have configured our network devices to authenticate through ACS, the issue with current setup is that any user who is accessing the WLAN or VPN can access my network devices. We want only certain users to access the network devices. How can we achieve this...do anyone have an idea...if my question is not clear please revert back to me...
Rgd,
Haaris
03-26-2008 03:40 AM
Normally this type of question would be over in the security forum.
There are a myrid of ways to accomplish this task. Here's how I do it in my company:
For device telnet/ssh access (routers, switches, APs) we use TACACS+, while remote access (WLAN, VPN, and terminal server) we use RADIUS. TACACS+ is more detailed in command logging so thats why we have it for vty access.
We created AD groups for VPN; VPN and Wireless; VPN, wireless, and terminal server; Device access (level 7 for operators), and Device access (level 15) and associated mapped local groups on the AAA server cluster. We then assigned access permissions and command sets using the ACS server groups.
Now its just a matter of assigning someone to the appropriate AD group to assign them to a network role.
03-26-2008 05:24 AM
Thanks alot for your response...I will post my question on Security Forum...If you have some documnetation that would help me alot.
Rgd,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide