Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

ACS 5.0 and AD groups

Go to solution
abu_bucker
Level 1
Level 1

‎10-27-2010 07:18 AM - edited ‎03-10-2019 05:31 PM

Hi,

I have MS 2003 AD connected to ACS 5.0. All the domain users are getting authenticated and able to access the network devices (switch / router / firewall).

ACS is being used for user authentication and command accounting using TACACS+, for device access and management. The following is configured on the switches / routers.

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I want to control the domain users who can get authenticated from ACS. I want only domain users, who are memeber of a particular AD group say "abc" to get authenticated, rest all domain users should be denied access.

I have selected the AD group "abc" under "directory groups" tab on Users and Identity Stores:External Identity Stores > Active Directory page, but still all the domain users are getting authenticated.

I am facing another issue, related to reports.

When I click the detail for any failed / passed authentication entry on AAA Protocol > TACACS+ Authentication page, The remote address (under user, just below the username filed) field is empty.

How can I get the remote ip address of the user who (un)successfully tried to get authenticated. Its very important for us as we are getting lots of failed authentication entries, using randon usernames on one of our devices. But we are unabe to trace the source of this attack.

Any help is resolving the above two issues will be highly appreciated.

Thanks is advance,

Abu Bucker

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎10-28-2010 04:55 AM

In order to deny access to users based on AD group you need to change the policy for TACACS+ authorization

I am assuming you still have the defauklt policies as defined at system installation time. If so, go to:Access Policies> Access Services > Default Device Admin > Authorization

1) Add a colum for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK

2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule

3) On main policy page check the box next t default and press "Edit". Select the "Deny Access" profile as default rule result

Press "Save Changes" to save the new policy.

Now all users that are in group "abc" will be permitted access and all other users denied

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jrabinow
Level 7
Level 7

‎10-28-2010 04:55 AM

In order to deny access to users based on AD group you need to change the policy for TACACS+ authorization

I am assuming you still have the defauklt policies as defined at system installation time. If so, go to:Access Policies> Access Services > Default Device Admin > Authorization

1) Add a colum for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK

2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule

3) On main policy page check the box next t default and press "Edit". Select the "Deny Access" profile as default rule result

Press "Save Changes" to save the new policy.

Now all users that are in group "abc" will be permitted access and all other users denied

0 Helpful

Go to solution
abu_bucker
Level 1
Level 1
In response to jrabinow

‎10-29-2010 04:15 AM

Dear Jrabinow,

Thanks a lot for providing the solution. It's working as expected.

Regards,

Abu Bucker

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents