ACS 4.0 with Router / Firewall

Unanswered Question
Jul 27th, 2009
User Badges:


My requirement is to map an Active Directory group with ACS group and allow only this group to ssh/telnet to Firewall and Router.

So far I am only able to map group on ACS. wht steps are required on ACS and Firewall or Router, in case ACS is down then authentication would be on device local database.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 07/27/2009 - 14:31
User Badges:
  • Red, 2250 points or more

Hi Ronald,

Inorder to allow specific group to manage any device we need to set up network access restriction (NAR). Here is the link,

For fallback option you need this command on IOS device,

aaa new-model

aaa authentication login default group tacacs+ local

username [username] password [password]

Make sure to set up local user.

On Firewall,

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

Make sure to set up local user.



Do rate helpful posts

ronald.ramzy Mon, 07/27/2009 - 22:13
User Badges:

Hi JG,

Will the NAR conflict with Remote-Access Authentication on ACS.

The Goal is to restrict ssh/telnet to a specific group on ACS without IP restriction and should be able to authenticate on other services Remote Access / Application Access.

All authentication are via ACS.

For accounting what additional steps are needed.

ronald.ramzy Tue, 07/28/2009 - 08:26
User Badges:


I have create NAR

Selected check Box (Define IP based Access restriction )

Table Define : Denied calling/point of Access location

Added AAA client

And assigned to Group.

But Still other groups on ACS can access the Router, I am sure those users are on different group.

Any clue what could be wrong.


This Discussion