08-13-2009 08:26 AM - edited 03-10-2019 04:38 PM
I have ACS 4.2 Appliance which is integrated with Active directory.
AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).
08-13-2009 11:39 AM
Check how admin access is controlled (by what groups):
08-13-2009 07:52 PM
HI Robert,
Thanks for your reply.
But I'm not talking about administration of ACS applinace. The concern is to stop the external database user to login in network devices (AAA clients).
08-14-2009 09:53 AM
These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
aaa group server radius rad_admin
server xxx.xxx.xxx.xxx
aaa group server tacacs+ tac_admin
server xxx.xxx.xxx.xxx
If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).
08-14-2009 10:01 AM
As a follow-up, let's assume you want to use ACS to authenticate admin access to your AAA clients, but you don't want ACS to check against AD.
If you are using TACACS+ for admin auth, and the admin users are in the local database on the ACS server, then I think you just need to go to your AAA client definition on the ACS server and scroll down to the "Tacacs+ login/enable authentication" section and select the appropriate "Authenticate Using" option.
08-15-2009 11:34 PM
Yes, I don't want ACS to check credentials against AD and wants to denied the access to users for AAA clients (routers and switches) which are not local database of ACS. OR I can restrict the only specific user or groups to login in AAA clients.
I haven't found any option for it. As you said, scroll down to "Tacacs+ login/enable authentication" section but I was not able to find this option. Can you please elaborate this or can give the path and screen shot for the same.
I'll appreciate your efforts so solve the issue.
02-01-2010 02:22 AM
Hi,
My problem havn't resolved yet and i'm still looking for solution. I have not found " Authenticate Using" option in ACS.
l'll appriciate if you can excatly let me know where I can find this option.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide