Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA - Restrict Group access from logging onto all NDG excpet one

I've recently created a group of users to only be able to shut and unshut interfaces using the aaa authorize config-commands and have all the relevant groups etc.. in place and working. My problem now is that the new users can now log into any device on the network (cant do anything other than show ver and show logg) i need to stop them from accessing anything other than the group i specified under group settings.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: AAA - Restrict Group access from logging onto all NDG excpet

OK, so you have a group of admins who should be restricted to working a single NDG of devices?

Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.

If a user of that group tries to logon to any other device they will get filtered.

Darran

5 REPLIES
Cisco Employee

Re: AAA - Restrict Group access from logging onto all NDG excpet

I'm assuming your using CiscoSecure ACS? Why not create some NARs (network access restrictions) that limit the devices or device groups (NDG) that users in a particular group can access?

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

New Member

Re: AAA - Restrict Group access from logging onto all NDG excpet

Yes, using Windows ACS 3.6. Am a bit confused, do I need to create a NAF and then apply it in the NAR under the group that i want to restrict???

if you could provide any steps involved i would greatly appreciate it

lee

Silver

Re: AAA - Restrict Group access from logging onto all NDG excpet

OK, so you have a group of admins who should be restricted to working a single NDG of devices?

Create an IP based NAR in the relavent ACS group, make it a "permit" and specify the name of the NDG that group is allowed to access.

If a user of that group tries to logon to any other device they will get filtered.

Darran

New Member

Re: AAA - Restrict Group access from logging onto all NDG excpet

Darran,

You are a legend!!!

Thanks

lee

Silver

Re: AAA - Restrict Group access from logging onto all NDG excpet

aw shucks.... Im all embarressed now!

:)

235
Views
0
Helpful
5
Replies
CreatePlease to create content