02-23-2006 05:16 AM - edited 03-10-2019 02:29 PM
I've recently created a group of users to only be able to shut and unshut interfaces using the aaa authorize config-commands and have all the relevant groups etc.. in place and working. My problem now is that the new users can now log into any device on the network (cant do anything other than show ver and show logg) i need to stop them from accessing anything other than the group i specified under group settings.
Solved! Go to Solution.
02-23-2006 07:51 AM
OK, so you have a group of admins who should be restricted to working a single NDG of devices?
Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.
If a user of that group tries to logon to any other device they will get filtered.
Darran
02-23-2006 06:58 AM
I'm assuming your using CiscoSecure ACS? Why not create some NARs (network access restrictions) that limit the devices or device groups (NDG) that users in a particular group can access?
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095
02-23-2006 07:33 AM
Yes, using Windows ACS 3.6. Am a bit confused, do I need to create a NAF and then apply it in the NAR under the group that i want to restrict???
if you could provide any steps involved i would greatly appreciate it
lee
02-23-2006 07:51 AM
OK, so you have a group of admins who should be restricted to working a single NDG of devices?
Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.
If a user of that group tries to logon to any other device they will get filtered.
Darran
02-23-2006 08:08 AM
Darran,
You are a legend!!!
Thanks
lee
02-23-2006 08:25 AM
aw shucks.... Im all embarressed now!
:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide