Solved: Re: AAA - Restrict Group access from logging onto all NDG excpet

lstrauch · ‎02-23-2006

I've recently created a group of users to only be able to shut and unshut interfaces using the aaa authorize config-commands and have all the relevant groups etc.. in place and working. My problem now is that the new users can now log into any device on the network (cant do anything other than show ver and show logg) i need to stop them from accessing anything other than the group i specified under group settings.

darpotter · ‎02-23-2006

OK, so you have a group of admins who should be restricted to working a single NDG of devices?

Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.

If a user of that group tries to logon to any other device they will get filtered.

Darran

View solution in original post

Jeffrey Bollinger · ‎02-23-2006

I'm assuming your using CiscoSecure ACS? Why not create some NARs (network access restrictions) that limit the devices or device groups (NDG) that users in a particular group can access?

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

lstrauch · ‎02-23-2006

Yes, using Windows ACS 3.6. Am a bit confused, do I need to create a NAF and then apply it in the NAR under the group that i want to restrict???

if you could provide any steps involved i would greatly appreciate it

lee

darpotter · ‎02-23-2006

OK, so you have a group of admins who should be restricted to working a single NDG of devices?

Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.

If a user of that group tries to logon to any other device they will get filtered.

Darran

lstrauch · ‎02-23-2006

Darran,

You are a legend!!!

Thanks

lee

darpotter · ‎02-23-2006

aw shucks.... Im all embarressed now!

:)

AAA - Restrict Group access from logging onto all NDG excpet one