Control access to network device with ACS

Answered Question
Feb 10th, 2006
User Badges:

Hi all!


Currently I have in place a Cisco Secure ACS Appliance using Windows as the back end authentication. Cisco Secure is acting as TACACS+ server. I have two groups defined in Cisco Secure: Netadmins and ITD Security. The users in the Netadmins group need access to all switches and routers on the network. ITD Security only needs access to async line 53 on a 2611 router for an out of band connection to a firewall and no other access to any network devices. How can I limit access for the Cisco Secure group “ITD Security” to line 53 only?


My current config on this router is:


aaa new-model

aaa authentication login netadmins group tacacs+ line

aaa authentication login ITDSEC group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX



line 53

no exec

login authentication ITDSEC

transport input all

stopbits 1

speed 115200


line vty 0 4

exec-timeout 30 0

timeout login response 120

login authentication netadmins




but the users in the “ITD Security” can still gain access by vty and then reverse telnet to any async line on the router. Additionally, users in the “ITD Security” can still access any other switch or router using telnet: what should my configuration on those device be? Do I need to do some configuration in ACS?


All other devices:


aaa new-model

aaa authentication login netadmins group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX


line con 0

password 7 141C015C5806

login authentication netadmins

line vty 0 4

password 7 11020A524310

login authentication netadmins

line vty 5 15

password 7 11020A524310

login authentication netadmins



Any help will be greatly appriciated.


Correct Answer by darpotter about 11 years 6 months ago

Hi


In the Security group I would create an IP Network Access Restriction with a permit entry. Basically to allow access to the single port on 2611 only.


The AAA Client field is the name you've given to the 2611 in network config. Address will be * unless you want to restrict access to one or ip address. Port... never quite sure with async whether the port value should be "async 53" or "line 53".


If you look in passed/failed attempts for the nas-port attribute you'll see what T+ is sending to ACS. This should help you know what to put in the NAR.


Darran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
darpotter Mon, 02/13/2006 - 06:47
User Badges:
  • Silver, 250 points or more

Hi


In the Security group I would create an IP Network Access Restriction with a permit entry. Basically to allow access to the single port on 2611 only.


The AAA Client field is the name you've given to the 2611 in network config. Address will be * unless you want to restrict access to one or ip address. Port... never quite sure with async whether the port value should be "async 53" or "line 53".


If you look in passed/failed attempts for the nas-port attribute you'll see what T+ is sending to ACS. This should help you know what to put in the NAR.


Darran

dwhisinnand Mon, 02/13/2006 - 08:52
User Badges:

Darren


Thank you very much for the help. I looked at the failed attempts log and found the NAS-Port to be tty53. I created an IP-based NAR for the security group in ACS and used port tty53 for the AAA client.

Problem sovled!


-David

Actions

This Discussion