ACS Administration restrictions not 100%

Unanswered Question
Jul 30th, 2008

I am attempting to setup individual admin accounts for customers to admin their VPN users, and ran into an interesting loophole. Under each user there is the Advanced settings where the NAR's are, and that user can access the other customers NAR's and gain VPN access to their devices. How can I restrict those users to only add/remove users under his group without showing the rest of the permissions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Wed, 07/30/2008 - 09:50

I don't think so that is possible. Those admin users will be able to view all configuration for that user.

Read access to users in these groups.

Enables read-only access to users in the Editable groups.

When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.

If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit all users in the Editable groups.

If the Add/Edit users in these groups option is unchecked (disabled):

* Check this check box to grant the administrator read access to the users in the Editable groups. In this case, the administrator cannot submit changes.

* When unchecked, administrators cannot view users.

This has to be feature request.



Do rate helpful posts

tahequivoice Wed, 07/30/2008 - 10:40

I think I know where you are going, but the admin user doesn't have access to users in the other groups, just in the group assigned, the problem I see is that under a user account, the other groups show up, and he can add a user to that group, and then that user would be able to log into the other groups VPN servers.

Where would I send in a feature request for this? I am a bit surprised it hasn't come up before. The ACS I am finding very useful for customer VPN's who don't have their own RADUIS server, and where we admin their firewall.

Jagdeep Gambhir Thu, 07/31/2008 - 14:23

No, if you allow admin user to add/edit user to two group then only those two groups would show up in the user set up.

And that admin user will not be able to open group setup page.

See attachment



This Discussion