Denying AAA Clients to a specific user group in ACS v4.1

Answered Question
Oct 23rd, 2009
User Badges:

Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??

thanks in advance,

dave

Correct Answer by Jatin Katyal about 7 years 9 months ago

Hi,


Why don't you use NAR (Network access restriction)


Under the network config > simply create one NDG and assign all the voice router under it.


After that go to the group/user where you want to put this restriction


You need to check that what are we getting in calling station id. If we are getting ip address then


[1] To accomplish above we would configure the group with following

NAR (network access restriction)


Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *


Subit the changes and try.


Here is more on configuring Network Access Restriction:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900


HTH


JK


Plz rate helpful posts-


Correct Answer by Jagdeep Gambhir about 7 years 9 months ago

You can set it up using NAR in ACS.


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml


Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
DAVE GENTON Fri, 10/23/2009 - 08:49
User Badges:

I looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?

Jatin Katyal Fri, 10/23/2009 - 09:02
User Badges:
  • Cisco Employee,

Hi,


Just checked your reply.


Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.


Check this::


Create two NDG's one for voice routers and other for data router's.


Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.


since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set


Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map VOICE router's NDG with respective command authorization set.


So this way we can denied access to data routers and restricted access to voice router's.


HTH


JK


Plz rate helpful posts-




Correct Answer
Jatin Katyal Fri, 10/23/2009 - 08:50
User Badges:
  • Cisco Employee,

Hi,


Why don't you use NAR (Network access restriction)


Under the network config > simply create one NDG and assign all the voice router under it.


After that go to the group/user where you want to put this restriction


You need to check that what are we getting in calling station id. If we are getting ip address then


[1] To accomplish above we would configure the group with following

NAR (network access restriction)


Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *


Subit the changes and try.


Here is more on configuring Network Access Restriction:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900


HTH


JK


Plz rate helpful posts-


DAVE GENTON Fri, 10/23/2009 - 08:53
User Badges:

Thanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users...

kwillacey Mon, 11/09/2009 - 12:32
User Badges:
  • Bronze, 100 points or more

What do the stars mean, is it a wild card?


If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router.

Jagdeep Gambhir Mon, 11/09/2009 - 12:45
User Badges:
  • Red, 2250 points or more

Yes it is a wild card.


Yes, if condition is deny for all aaa-client then that group will not have access to all clients.


Access denied.



Regards,

~JG


Do rate helpful posts

Jatin Katyal Mon, 11/09/2009 - 12:49
User Badges:
  • Cisco Employee,

Hi Kelvin,


You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.


If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.


HTH


JK


Plz rate helpful posts-

kwillacey Mon, 11/09/2009 - 12:54
User Badges:
  • Bronze, 100 points or more

OK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?

Jatin Katyal Mon, 11/09/2009 - 13:50
User Badges:
  • Cisco Employee,

Hi kelvin,


They will be able to connect if you are using ASA for VPN using radius protocol.


HTH


JK


Plz rate helpful posts-

kwillacey Mon, 11/09/2009 - 13:54
User Badges:
  • Bronze, 100 points or more

I am guessing if it is using TACACS then it is going to be a problem, am i right?

Jatin Katyal Mon, 11/09/2009 - 13:58
User Badges:
  • Cisco Employee,

Kelvin,


You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.


HTH


JK


Plz rate helpful posts-

kwillacey Mon, 11/09/2009 - 14:01
User Badges:
  • Bronze, 100 points or more

ACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.

Actions

This Discussion