ACS 4.0 with Router / Firewall

ronald.ramzy · ‎07-27-2009

Hi,

My requirement is to map an Active Directory group with ACS group and allow only this group to ssh/telnet to Firewall and Router.

So far I am only able to map group on ACS. wht steps are required on ACS and Firewall or Router, in case ACS is down then authentication would be on device local database.

Jagdeep Gambhir · ‎07-27-2009

Hi Ronald,

Inorder to allow specific group to manage any device we need to set up network access restriction (NAR). Here is the link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

For fallback option you need this command on IOS device,

aaa new-model

aaa authentication login default group tacacs+ local

username [username] password [password]

Make sure to set up local user.

On Firewall,

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

Make sure to set up local user.

Regards,

~JG

Do rate helpful posts

ronald.ramzy · ‎07-27-2009

Hi JG,

Will the NAR conflict with Remote-Access Authentication on ACS.

The Goal is to restrict ssh/telnet to a specific group on ACS without IP restriction and should be able to authenticate on other services Remote Access / Application Access.

All authentication are via ACS.

For accounting what additional steps are needed.

ronald.ramzy · ‎07-28-2009

Hi,

I have create NAR

Selected check Box (Define IP based Access restriction )

Table Define : Denied calling/point of Access location

Added AAA client

And assigned to Group.

But Still other groups on ACS can access the Router, I am sure those users are on different group.

Any clue what could be wrong.