NDGs and User group issues

Answered Question
Apr 11th, 2008

I have two sets of NDGs

1. Routers_Switches

2. UPS_PDU (Power Supplies)

I have two sets of UserGroups

1. Network Administrators

2. UPS Support Staff

I only want Network Admins to access the Routers_Switch group and the UPS Support Staff to access the UPS_PDU NDG. I have users from Usergroup Network Admin accessing the UPS Device Group. Is there a way to have only the Network Admin group access only the routers_switch ndg and not the UPS_PDU ndg?

I have this problem too.
0 votes
Correct Answer by craig.eyre about 8 years 7 months ago

Just select

1.Group Setup

2.Select the Routers_Switches group

3.Ten scroll down to the "per group defined network access restrictions" Enable it with a checkmark.

4. Select deny calling/point

5. AAA client = UPS's

6. Ports = *

7. Address = *

8. Hit enter and the new rule will be added to the window above.

9. Click submit (not submit and restart until you create the other NAR for the other group)

Go back and select the UPS_PDU group and do the same steps but,

1. AAA client = routers_switches

2. Port = *

3. Address = *

4. Enter

Click submit and restart but remember this will stop authenticating users for the time its restarting.

Hope this helps.

Craig

Pls rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
craig.eyre Sat, 04/12/2008 - 17:53

Which version of ACS software are you running?

It's pretty much the same idea on ACS 3 or 4 but I can explain in more detail with which version you have>

Craig

craig.eyre Sat, 04/12/2008 - 18:02

Hi,

Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.

You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.

ACS 3.X)

1. Denied Calling/Point of access restrictions

2. AAA Clients =UPS_PDU (Power Supplies)

3. Port = just put a * for all

4. Src IP address = just put a * as well

SUBMIT to SAVE

Create a second one for the other group like so:

1. Denied Calling/Point of access restrictions

2. AAA Clients =Routers_Switches

3. Port = just put a * for all

4. Src IP address = just put a * as well

Click submit to save it.

Go to the ACS User groups section and select the Network Administrators Group " that don't need access to the UPS's" and apply the NAR you created to that group. Do the same for the other grouping.

(ACS 4.X)

Go directly under the "user groups" and create the NAR under there. No need to go under the Shared Profile Components section

Hope this helps and let me know if you need further assistance or explanation.

Craig

Correct Answer
craig.eyre Mon, 04/14/2008 - 07:23

Just select

1.Group Setup

2.Select the Routers_Switches group

3.Ten scroll down to the "per group defined network access restrictions" Enable it with a checkmark.

4. Select deny calling/point

5. AAA client = UPS's

6. Ports = *

7. Address = *

8. Hit enter and the new rule will be added to the window above.

9. Click submit (not submit and restart until you create the other NAR for the other group)

Go back and select the UPS_PDU group and do the same steps but,

1. AAA client = routers_switches

2. Port = *

3. Address = *

4. Enter

Click submit and restart but remember this will stop authenticating users for the time its restarting.

Hope this helps.

Craig

Pls rate helpful posts.

umamon Mon, 04/14/2008 - 11:37

Hi Craig,

I will try this as soon as I can figure out why I can't get to the web interface. I turned on logging friday of last week and now my drive is full, I've compressed files and regain space on my harddrive, but now I still can't get in. If you have any knowledge to assist with this I will appreciate it.

umamon Mon, 04/14/2008 - 14:47

Hi Craig,

I spoke to soon, I've done what you said. The PDU support techs are denied to the routers/switches, but I'm (apart of the Network Admin) and I can still get into the PDU......

craig.eyre Mon, 04/14/2008 - 19:31

Hi,

you need to go under the Network admin Group and create a NAR that denies access to the PDU device group.

Same steps as 1st one but:

Group setup, Network Admin group, edit group, create NAR to deny access to PDU group and put * for port and address.

hope this clears it up a bit.

Craig

umamon Tue, 04/15/2008 - 22:26

I've tried all your steps, recheck and tested, and for some reason, I am still able to get into the PDU devices. I've tested the deny NAR and it works for the network admin. I even tested the deny NAR for my network devices, and the rule did in fact deny me. So I know that is working. Just for testing purposes, I tested the PDU admin group by denying the PDU devices the rule did not restrict access to the PDU admin users they were stil able to get into the PDU, removed the deny pdu and re added the router/switch NDG, and still the same results. Perhaps it could be something on the PDU device that has to be configured? Could there be another option in relation to the way these rules work?

craig.eyre Wed, 04/16/2008 - 07:12

Are any of the users in the PDU admin group members of other groups that are mapped on the acs? Eg. Is Bob a member of PDU admin and Client Support?

You can check in the ACS logs to see what group the user is associating to when they connect to the PDU devices. So if Bob logs in and gains access to your PDU devices (with the NAR)what group is the ACS matching him to.

Craig

darpotter Tue, 04/22/2008 - 08:39

For failures... the failed attempts report "Reason" column might give you a clue about which part of the NAR is triggering.

Im assuming we're talking TACACS+... ACS will choose which type of NAR to use (IP or dial) by looking at the rem_addr attribute. If it sees an ip address it will use ip nars. If not it'll use the ones.

you could check the T+ accounting report, or run the CSTacacs -z -e service at the command prompt to see incoming packets logs at the console.

umamon Tue, 04/22/2008 - 14:53

hello,

my logon to the UPS devices do not fail, i actually get into these devices, and i don't, I wanna be able to restrict users groups to certain network device groups. can you help me with that

Actions

This Discussion