cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1167
Views
20
Helpful
13
Replies

Denying AAA Clients to a specific user group in ACS v4.1

DAVE GENTON
Level 2
Level 2

Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??

thanks in advance,

dave

2 Accepted Solutions

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,

Why don't you use NAR (Network access restriction)

Under the network config > simply create one NDG and assign all the voice router under it.

After that go to the group/user where you want to put this restriction

You need to check that what are we getting in calling station id. If we are getting ip address then

[1] To accomplish above we would configure the group with following

NAR (network access restriction)

Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *

Subit the changes and try.

Here is more on configuring Network Access Restriction:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900

HTH

JK

Plz rate helpful posts-

~Jatin

View solution in original post

13 Replies 13

Jagdeep Gambhir
Level 10
Level 10

You can set it up using NAR in ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

~JG

Do rate helpful posts

I looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?

Hi,

Just checked your reply.

Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.

Check this::

Create two NDG's one for voice routers and other for data router's.

Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.

since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map VOICE router's NDG with respective command authorization set.

So this way we can denied access to data routers and restricted access to voice router's.

HTH

JK

Plz rate helpful posts-

~Jatin

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,

Why don't you use NAR (Network access restriction)

Under the network config > simply create one NDG and assign all the voice router under it.

After that go to the group/user where you want to put this restriction

You need to check that what are we getting in calling station id. If we are getting ip address then

[1] To accomplish above we would configure the group with following

NAR (network access restriction)

Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *

Subit the changes and try.

Here is more on configuring Network Access Restriction:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900

HTH

JK

Plz rate helpful posts-

~Jatin

Thanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users...

What do the stars mean, is it a wild card?

If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router.

Yes it is a wild card.

Yes, if condition is deny for all aaa-client then that group will not have access to all clients.

Access denied.

Regards,

~JG

Do rate helpful posts

Hi Kelvin,

You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.

If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.

HTH

JK

Plz rate helpful posts-

~Jatin

OK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?

Hi kelvin,

They will be able to connect if you are using ASA for VPN using radius protocol.

HTH

JK

Plz rate helpful posts-

~Jatin

I am guessing if it is using TACACS then it is going to be a problem, am i right?

Kelvin,

You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.

HTH

JK

Plz rate helpful posts-

~Jatin

ACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: