ACS 5.1 AAA Authentication with AD groups

Unanswered Question
Sep 9th, 2010
User Badges:

Hello -

I have made great progress configuring my ACS 5.1 for tacacs+ services.  However, there is one thing that is not working quite as I expected. 

Instead of creating local ACS accounts for our network group I've decided to use the group setup in AD for our network team to authenticate and provide full access (privilege 15) to network team members. 

Under Access Policies "Default Device Admin" I chose the AD1 identity source and then under "Authorization" created rules that seem to work only for authorization.  AD users that are not in the network group are not authorized to execute any commands on our network devices.  

However, what bothers me is that these non-network team AD users (in other AD groups) are still able to authenticate to the devices.   They are granted the "permit access" shell profile according to the logs.

I would like it so that non-network AD users are not even authenticated to the network devices.

Does anyone have any thoughts on how I can accomplish this.  I only want to see network team members authenticated to network devices.   I am sure it is something simple I am missing.   How can I grant "deny access" shell profile to any AD user that is not in the AD network team group?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kushsriva Thu, 09/09/2010 - 11:55
User Badges:
  • Bronze, 100 points or more


In the ACS 5, there is a way in which we can limit the user access to only specific groups. Here are the steps needed to do the configuration:

- Go under users and Identity Stores, click on Active directory and go to Directory Groups.

- Click on Select and select the group which should have access to the devices.

- Now Go to the "Default Device Admin", click on Authorization.

- On the right bottom corner, you would see a Customize tab, click on it.

- Below Customize Conditions under Available, you would see "AD1:ExternalGroups, move it to the right under Selected.

- Now create a new policy, you would see "AD1:ExternalGroups". Check the box and select the group which we selected earlier.

- Make the default policy as denied.

Now only the users which are in that specific groups should be able to connect.



c.fuller Fri, 09/10/2010 - 04:57
User Badges:

Kushangra -

Thanks for the information.  Turned out the problem was with the default policy rule at the end of the rule list.   It was set, by default, to "permitaccess".  I changed that to "denyaccess" and now non-network AD users are unable to achieve authentication with our network devices.




This Discussion