I'm sure this question has already been asked and the solution is simple - however it does not appear to be obvious!
My requirement is to have an AD group called 'CiscoAdmins' and another called 'VPNUsers'. Using ACS I want to only authorise members of the 'CiscoAdmins' group to perform telnet/SSH etc. and only permit members of the 'VPNUsers' group to connect in remotely via an ASA firewall. So in other words, authentication should only PASS if the user is a member of a particular AD group.
We currenty have all authentication/accounting working as needed using TACACS - refering to (Windows Database NOT LDAP) AD for correct username/password. However, we've noticed that members of the 'CiscoAdmins' group can perform VPN authentication and visa-versa - which is not so good. This is despite setting up the AD/ACS group mapping etc. and re-ordering many many times!
Is TACACS OK or should we revert to RADIUS & the same goes for Windows Database v LDAP ..?
I've trawled the net and this forum to no avail - please help!
There must be a guide somewhere for this simple request surely?
Re: ACS 4.2 SE & Windows 2003, AD Group Restrictions?
Thanks again JK,
I'll give this a go and feedback ..
So just to confirm, am I right in understanding that there is NO way of restricting access simply by checking AD group membership? Therefore the only way is to restrict certain elements as you describe? Seems like a lot of work ..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :