cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
8
Replies

Windows Groups Authentication with ACS

prekojo
Level 1
Level 1

I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.

I configure my Cisco 3750 with the following commands for authentication.

aaa new-model

aaa authentication login NetworkAdmins group tacacs+ local

aaa authorization exec NetworkAdmins group tacacs+ local

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa session-id common

The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?

Thanks for the help!!

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

View solution in original post

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password.

Thanks again

In your router/switch...

config t

line vty 0 4

privilege level 15

That should do it! You can't do it with firewalls, they force you to enter the enable password.

Excellent!! Is there anyway to do it per user instead of any vty session?

Thanks again!!!!

Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.

Would you specify the authorizations groups using the following command then?

aaa authorization commands 3 NetworkUsers group tacacs+ local

I do it in ACS. I've attached a little write up I did for reference. I hope it helps.

I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: