Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
3
Helpful
10
Replies

Access Restriction on ACS

Go to solution
Amin Shaikh
Level 1
Level 1

‎06-13-2008 12:10 AM - edited ‎03-10-2019 03:54 PM

Routers access are authenticated via ACS using Active Directory,

But I want only administrator to get access to routers not all Active Directory users.

To acheive this what action is required on ACS??

FYI :::

<> I have Administrator group on Active Directory.

<> I have 40 Network-Devices to access some on different subnets

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Amin Shaikh

‎06-13-2008 09:14 AM

Unfortunately , there is no such option. It can only be defined on individual group or at user level.

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
10 Replies 10

Go to solution
darpotter
Level 5
Level 5

‎06-13-2008 02:49 AM

Not too hard...

1) Make sure ACS is correctly mapping from Windows group to ACS group (under external authentication page). Basically get admins to map to an ACS admins group and everyone else to a non-admin ACS group.

2) In the ACS group selected to the be non admins group create an ip based NAR (network access restriction) that is a DENY on "All AAA Clients", port=*, addr=*

This very simple approach lets the admins have total access (you may want to tighten later) and non-admins nothing.

NAR filtering is applied during authentication, so the Failed Attempts report should show the user was filtered rather than rejected.

Darran

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-13-2008 05:09 AM

There are two section in NAR"s.

Ist is IP based NAR

2nd is CLI/DNIS based.

So for wireless users you need to apply only IP based NAR. By this wireless uses will NOT be able to ssh/telnet but they can connect to wireless network.

So that solve your issue ?

Check out this white paper,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
Amin Shaikh
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-13-2008 06:01 AM

Thanks for the reply...

I am not getting the syntax to

(( DENY on "All AAA Clients", port=*, addr=* ))

I need to deny access to router(aaa client 192.168.1.100 ) to group "Users" for telnet and ssh only..... and same for AP(Aironet) [[ aaa client 192.168.1.150 ))

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Amin Shaikh

‎06-13-2008 06:44 AM

Go to acs---->interface configuration---->advanced options---> enable Group-Level Network Access Restrictions-->Submit,

Regards,

~JG

0 Helpful

Go to solution
Amin Shaikh
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-13-2008 06:49 AM

Thanks...

I had already enabled Group-level-network access.... but blocking the AAA client for non-admin(users group) is not working....

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Amin Shaikh

‎06-13-2008 06:50 AM

Pls attach the NAR screen shot

0 Helpful

Go to solution
Amin Shaikh
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-13-2008 07:29 AM

Thanks for your reply.

I have attached the screen-shot..where VPN user-group can ssh/telnet to network devices even the NAR is applied to the group...

Preview file
37 KB
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Amin Shaikh

‎06-13-2008 08:09 AM

Use "*" for port and IP address

0 Helpful

Go to solution
Amin Shaikh
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-13-2008 08:24 AM

Thanks...

Instead of going to each group and defining NAR, Is there a way to allow for one group and deny for all other groups....

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Amin Shaikh

‎06-13-2008 09:14 AM

Unfortunately , there is no such option. It can only be defined on individual group or at user level.

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents