Help needed restricting users admin access to devices using ACS 4.2

Unanswered Question
Jun 22nd, 2009
User Badges:

I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.

The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).

Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.

So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 06/22/2009 - 07:31
User Badges:
  • Red, 2250 points or more


You need to use IP based network access restriction. IP based access restriction will not let those users to access it via SSH/https etc.



Do rate helpful posts

JDiTomaso Mon, 06/22/2009 - 23:27
User Badges:

Hi JG, I have tried IP based network restriction;

Default Group settings - In Per Group Defined Network Access Restrictions Section

Box ticked for Define IP-Based Restrictions

Table Defines : Denied Calling/Point of Access Locations

All AAA Clients * * entered

This stops VPN clients connecting through the PIX, (though it does the job of allowing only admin access to the users in the admin group)

Am I missing something?

Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....

So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?

This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.

Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

JDiTomaso Wed, 06/24/2009 - 23:57
User Badges:

I have tried implementing NARs but it doesn't work, it doesn't seem to differentiate between VPN access and access to the PIX, it either permits or denies access.

I have even tried denying access based on SSH (All Clients,22,*) and that doesn't work (it actually ignores it).

Jagdeep Gambhir Fri, 06/26/2009 - 09:54
User Badges:
  • Red, 2250 points or more

You should choose only VPN device, in IP based NAR with condition deny. Now all would be allowed other then vpn.

It should surely work.



JDiTomaso Tue, 06/30/2009 - 01:41
User Badges:


I've tried that but no luck, just to confirm that the users use the PIX as a VPN device to connect in, but I want to restrict them admin access to the PIX.

Jagdeep Gambhir Tue, 06/30/2009 - 02:16
User Badges:
  • Red, 2250 points or more

IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id (31) attribute. The Calling-Station-Id (31) must contain a valid IP address. If it does not, it will fall over to DNIS rules.

Please check the radius debug and see what we are getting



JDiTomaso Tue, 06/30/2009 - 02:23
User Badges:

Hi JG, I'm using TACACS for this setup, am I right in thinking that NAR's don't work well with TACACS?

Yeah. I just made this work. Exact same situation. ASA with VPN access authenticates via RADIUS to ACS, then I set up tacacs in the ASA and authenticated SSH via TACACS to the ACS. I built NAR, and I did "IP Based access restriction", then chose "Denied Calling point", chose the ASA only, any port, any source address, applied the NAR to a group of users, and users in that group can now VPN in, but they can't SSH in.

And the guy next to me just figured out another way. He did a "Per Group Defined NAR" in ACS, and "Define IP Based Restriction", and Table Defines "Permitted Calling point". Then he chose just the ASA-VPN client which uses RADIUS. All other clients are denied, so that means that group can ONLY VPN in, and can't SSH in. SSH is a second AAA client, with TACACS as the protocol. So there's 2 AAA clients for the ASA, one using RADIUS and one using TACACS.


This Discussion