Routers access are authenticated via ACS using Active Directory,
But I want only administrator to get access to routers not all Active Directory users.
To acheive this what action is required on ACS??
<> I have Administrator group on Active Directory.
<> I have 40 Network-Devices to access some on different subnets
Solved! Go to Solution.
Not too hard...
1) Make sure ACS is correctly mapping from Windows group to ACS group (under external authentication page). Basically get admins to map to an ACS admins group and everyone else to a non-admin ACS group.
2) In the ACS group selected to the be non admins group create an ip based NAR (network access restriction) that is a DENY on "All AAA Clients", port=*, addr=*
This very simple approach lets the admins have total access (you may want to tighten later) and non-admins nothing.
NAR filtering is applied during authentication, so the Failed Attempts report should show the user was filtered rather than rejected.
There are two section in NAR"s.
Ist is IP based NAR
2nd is CLI/DNIS based.
So for wireless users you need to apply only IP based NAR. By this wireless uses will NOT be able to ssh/telnet but they can connect to wireless network.
So that solve your issue ?
Check out this white paper,
Do rate helpful posts
Thanks for the reply...
I am not getting the syntax to
(( DENY on "All AAA Clients", port=*, addr=* ))
I need to deny access to router(aaa client 192.168.1.100 ) to group "Users" for telnet and ssh only..... and same for AP(Aironet) [[ aaa client 192.168.1.150 ))
I had already enabled Group-level-network access.... but blocking the AAA client for non-admin(users group) is not working....
Instead of going to each group and defining NAR, Is there a way to allow for one group and deny for all other groups....