10-23-2009 08:30 AM - edited 03-10-2019 04:45 PM
Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
thanks in advance,
dave
Solved! Go to Solution.
10-23-2009 08:44 AM
You can set it up using NAR in ACS.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
Regards,
~JG
Do rate helpful posts
10-23-2009 08:50 AM
Hi,
Why don't you use NAR (Network access restriction)
Under the network config > simply create one NDG and assign all the voice router under it.
After that go to the group/user where you want to put this restriction
You need to check that what are we getting in calling station id. If we are getting ip address then
[1] To accomplish above we would configure the group with following
NAR (network access restriction)
Define IP based Network Access Restriction
Permitted Calling Point
AAA client: VOICE NDG created
Port *
Src IP Address *
Subit the changes and try.
Here is more on configuring Network Access Restriction:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/GrpMgt.html#wp478900
HTH
JK
Plz rate helpful posts-
10-23-2009 08:44 AM
You can set it up using NAR in ACS.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
Regards,
~JG
Do rate helpful posts
10-23-2009 08:49 AM
I looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?
10-23-2009 09:02 AM
Hi,
Just checked your reply.
Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.
Check this::
Create two NDG's one for voice routers and other for data router's.
Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.
since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set
Assign a Shell Command Authorization Set on a per Network Device Group Basis
Here you can map VOICE router's NDG with respective command authorization set.
So this way we can denied access to data routers and restricted access to voice router's.
HTH
JK
Plz rate helpful posts-
10-23-2009 08:50 AM
Hi,
Why don't you use NAR (Network access restriction)
Under the network config > simply create one NDG and assign all the voice router under it.
After that go to the group/user where you want to put this restriction
You need to check that what are we getting in calling station id. If we are getting ip address then
[1] To accomplish above we would configure the group with following
NAR (network access restriction)
Define IP based Network Access Restriction
Permitted Calling Point
AAA client: VOICE NDG created
Port *
Src IP Address *
Subit the changes and try.
Here is more on configuring Network Access Restriction:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/GrpMgt.html#wp478900
HTH
JK
Plz rate helpful posts-
10-23-2009 08:53 AM
Thanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users...
11-09-2009 12:32 PM
What do the stars mean, is it a wild card?
If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router.
11-09-2009 12:45 PM
Yes it is a wild card.
Yes, if condition is deny for all aaa-client then that group will not have access to all clients.
Access denied.
Regards,
~JG
Do rate helpful posts
11-09-2009 12:49 PM
Hi Kelvin,
You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.
If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.
HTH
JK
Plz rate helpful posts-
11-09-2009 12:54 PM
OK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?
11-09-2009 01:50 PM
Hi kelvin,
They will be able to connect if you are using ASA for VPN using radius protocol.
HTH
JK
Plz rate helpful posts-
11-09-2009 01:54 PM
I am guessing if it is using TACACS then it is going to be a problem, am i right?
11-09-2009 01:58 PM
Kelvin,
You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.
HTH
JK
Plz rate helpful posts-
11-09-2009 02:01 PM
ACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: