07-27-2009 01:32 PM - edited 03-10-2019 04:36 PM
Hi,
My requirement is to map an Active Directory group with ACS group and allow only this group to ssh/telnet to Firewall and Router.
So far I am only able to map group on ACS. wht steps are required on ACS and Firewall or Router, in case ACS is down then authentication would be on device local database.
07-27-2009 02:31 PM
Hi Ronald,
Inorder to allow specific group to manage any device we need to set up network access restriction (NAR). Here is the link,
http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
For fallback option you need this command on IOS device,
aaa new-model
aaa authentication login default group tacacs+ local
username [username] password [password]
Make sure to set up local user.
On Firewall,
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
Make sure to set up local user.
Regards,
~JG
Do rate helpful posts
07-27-2009 10:13 PM
Hi JG,
Will the NAR conflict with Remote-Access Authentication on ACS.
The Goal is to restrict ssh/telnet to a specific group on ACS without IP restriction and should be able to authenticate on other services Remote Access / Application Access.
All authentication are via ACS.
For accounting what additional steps are needed.
07-28-2009 08:26 AM
Hi,
I have create NAR
Selected check Box (Define IP based Access restriction )
Table Define : Denied calling/point of Access location
Added AAA client
And assigned to Group.
But Still other groups on ACS can access the Router, I am sure those users are on different group.
Any clue what could be wrong.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: