Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Restriction on ACS

Routers access are authenticated via ACS using Active Directory,

But I want only administrator to get access to routers not all Active Directory users.

To acheive this what action is required on ACS??

FYI :::

<> I have Administrator group on Active Directory.

<> I have 40 Network-Devices to access some on different subnets

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access Restriction on ACS

Unfortunately , there is no such option. It can only be defined on individual group or at user level.

Regards,

~JG

Do rate helpful posts

10 REPLIES
Silver

Re: Access Restriction on ACS

Not too hard...

1) Make sure ACS is correctly mapping from Windows group to ACS group (under external authentication page). Basically get admins to map to an ACS admins group and everyone else to a non-admin ACS group.

2) In the ACS group selected to the be non admins group create an ip based NAR (network access restriction) that is a DENY on "All AAA Clients", port=*, addr=*

This very simple approach lets the admins have total access (you may want to tighten later) and non-admins nothing.

NAR filtering is applied during authentication, so the Failed Attempts report should show the user was filtered rather than rejected.

Darran

Re: Access Restriction on ACS

There are two section in NAR"s.

Ist is IP based NAR

2nd is CLI/DNIS based.

So for wireless users you need to apply only IP based NAR. By this wireless uses will NOT be able to ssh/telnet but they can connect to wireless network.

So that solve your issue ?

Check out this white paper,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

~JG

Do rate helpful posts

New Member

Re: Access Restriction on ACS

Thanks for the reply...

I am not getting the syntax to

(( DENY on "All AAA Clients", port=*, addr=* ))

I need to deny access to router(aaa client 192.168.1.100 ) to group "Users" for telnet and ssh only..... and same for AP(Aironet) [[ aaa client 192.168.1.150 ))

Re: Access Restriction on ACS

Go to acs---->interface configuration---->advanced options---> enable Group-Level Network Access Restrictions-->Submit,

Regards,

~JG

New Member

Re: Access Restriction on ACS

Thanks...

I had already enabled Group-level-network access.... but blocking the AAA client for non-admin(users group) is not working....

Re: Access Restriction on ACS

Pls attach the NAR screen shot

New Member

Re: Access Restriction on ACS

Thanks for your reply.

I have attached the screen-shot..where VPN user-group can ssh/telnet to network devices even the NAR is applied to the group...

Re: Access Restriction on ACS

Use "*" for port and IP address

New Member

Re: Access Restriction on ACS

Thanks...

Instead of going to each group and defining NAR, Is there a way to allow for one group and deny for all other groups....

Re: Access Restriction on ACS

Unfortunately , there is no such option. It can only be defined on individual group or at user level.

Regards,

~JG

Do rate helpful posts

321
Views
3
Helpful
10
Replies
CreatePlease login to create content