Windows Groups Authentication with ACS

Answered Question
Nov 17th, 2008

I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.

I configure my Cisco 3750 with the following commands for authentication.

aaa new-model

aaa authentication login NetworkAdmins group tacacs+ local

aaa authorization exec NetworkAdmins group tacacs+ local

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa session-id common

The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?

Thanks for the help!!

I have this problem too.
0 votes
Correct Answer by Collin Clark about 8 years 2 months ago

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Collin Clark Mon, 11/17/2008 - 10:44

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

prekojo Mon, 11/17/2008 - 12:02

That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password.

Thanks again

Collin Clark Mon, 11/17/2008 - 13:18

In your router/switch...

config t

line vty 0 4

privilege level 15

That should do it! You can't do it with firewalls, they force you to enter the enable password.

prekojo Mon, 11/17/2008 - 13:22

Excellent!! Is there anyway to do it per user instead of any vty session?

Thanks again!!!!

Collin Clark Mon, 11/17/2008 - 13:24

Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.

prekojo Mon, 11/17/2008 - 13:36

Would you specify the authorizations groups using the following command then?

aaa authorization commands 3 NetworkUsers group tacacs+ local

prekojo Tue, 11/18/2008 - 06:19

I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!

Actions

This Discussion