Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.0 and AD groups

Hi,

I have MS 2003 AD connected to ACS 5.0. All the domain users are getting authenticated and able to access the network devices (switch / router / firewall).

ACS is being used for user authentication and command accounting using TACACS+, for device access and management. The following is configured on the switches / routers.

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I want to control the domain users who can get authenticated from ACS. I want only domain users, who are memeber of a particular AD group say "abc" to get authenticated, rest all domain users should be denied access.

I have selected the AD group "abc" under "directory groups" tab on Users and Identity Stores:External Identity Stores > Active Directory page, but still all the domain users are getting authenticated.

I am facing another issue, related to reports.

When I click the detail for any failed / passed authentication entry on AAA Protocol > TACACS+ Authentication page, The remote address (under user, just below the username filed) field is empty.

How can I get the remote ip address of the user who (un)successfully tried to get authenticated. Its very important for us as we are getting lots of failed authentication entries, using randon usernames on one of our devices. But we are unabe to trace the source of this attack.

Any help is resolving the above two issues will be highly appreciated.

Thanks is advance,

Abu Bucker

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.0 and AD groups

In order to deny access to users based on AD group you need to change the policy for TACACS+ authorization

I am assuming you still have the defauklt policies as defined at system installation time. If so, go to:Access Policies> Access Services > Default Device Admin > Authorization

1) Add a colum for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK

2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule

3) On main policy page check the box next t default and press "Edit". Select the "Deny Access" profile as default rule result

Press "Save Changes" to save the new policy.

Now all users that are in group "abc" will be permitted access and all other users denied

2 REPLIES
Cisco Employee

Re: ACS 5.0 and AD groups

In order to deny access to users based on AD group you need to change the policy for TACACS+ authorization

I am assuming you still have the defauklt policies as defined at system installation time. If so, go to:Access Policies> Access Services > Default Device Admin > Authorization

1) Add a colum for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK

2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule

3) On main policy page check the box next t default and press "Edit". Select the "Deny Access" profile as default rule result

Press "Save Changes" to save the new policy.

Now all users that are in group "abc" will be permitted access and all other users denied

New Member

Re: ACS 5.0 and AD groups

Dear Jrabinow,

Thanks a lot for providing the solution. It's working as expected.

Regards,

Abu Bucker

358
Views
0
Helpful
2
Replies
CreatePlease login to create content