How to stop ACS intergated AD users to login in AAA clients(network device)

Unanswered Question
Aug 13th, 2009
User Badges:

I have ACS 4.2 Appliance which is integrated with Active directory.

AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sunil.aroraa Thu, 08/13/2009 - 19:52
User Badges:

HI Robert,

Thanks for your reply.

But I'm not talking about administration of ACS applinace. The concern is to stop the external database user to login in network devices (AAA clients).

Robert.N.Barrett_2 Fri, 08/14/2009 - 09:53
User Badges:
  • Bronze, 100 points or more

These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.

What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?

For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):

aaa group server radius rad_admin


aaa group server tacacs+ tac_admin


If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

Robert.N.Barrett_2 Fri, 08/14/2009 - 10:01
User Badges:
  • Bronze, 100 points or more

As a follow-up, let's assume you want to use ACS to authenticate admin access to your AAA clients, but you don't want ACS to check against AD.

If you are using TACACS+ for admin auth, and the admin users are in the local database on the ACS server, then I think you just need to go to your AAA client definition on the ACS server and scroll down to the "Tacacs+ login/enable authentication" section and select the appropriate "Authenticate Using" option.

sunil.aroraa Sat, 08/15/2009 - 23:34
User Badges:

Yes, I don't want ACS to check credentials against AD and wants to denied the access to users for AAA clients (routers and switches) which are not local database of ACS. OR I can restrict the only specific user or groups to login in AAA clients.

I haven't found any option for it. As you said, scroll down to "Tacacs+ login/enable authentication" section but I was not able to find this option. Can you please elaborate this or can give the path and screen shot for the same.

I'll appreciate your efforts so solve the issue.

sunil.aroraa Mon, 02/01/2010 - 02:22
User Badges:


My problem havn't resolved yet and i'm still looking for solution. I have not found " Authenticate Using" option in ACS.

l'll appriciate if you can excatly let me know where I can find this option.

Thanks in advance.


This Discussion