Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 AAA Authentication with AD groups

Hello -

I have made great progress configuring my ACS 5.1 for tacacs+ services.  However, there is one thing that is not working quite as I expected. 

Instead of creating local ACS accounts for our network group I've decided to use the group setup in AD for our network team to authenticate and provide full access (privilege 15) to network team members. 

Under Access Policies "Default Device Admin" I chose the AD1 identity source and then under "Authorization" created rules that seem to work only for authorization.  AD users that are not in the network group are not authorized to execute any commands on our network devices.  

However, what bothers me is that these non-network team AD users (in other AD groups) are still able to authenticate to the devices.   They are granted the "permit access" shell profile according to the logs.

I would like it so that non-network AD users are not even authenticated to the network devices.

Does anyone have any thoughts on how I can accomplish this.  I only want to see network team members authenticated to network devices.   I am sure it is something simple I am missing.   How can I grant "deny access" shell profile to any AD user that is not in the AD network team group?




Re: ACS 5.1 AAA Authentication with AD groups


In the ACS 5, there is a way in which we can limit the user access to only specific groups. Here are the steps needed to do the configuration:

- Go under users and Identity Stores, click on Active directory and go to Directory Groups.

- Click on Select and select the group which should have access to the devices.

- Now Go to the "Default Device Admin", click on Authorization.

- On the right bottom corner, you would see a Customize tab, click on it.

- Below Customize Conditions under Available, you would see "AD1:ExternalGroups, move it to the right under Selected.

- Now create a new policy, you would see "AD1:ExternalGroups". Check the box and select the group which we selected earlier.

- Make the default policy as denied.

Now only the users which are in that specific groups should be able to connect.



New Member

Re: ACS 5.1 AAA Authentication with AD groups

Kushangra -

Thanks for the information.  Turned out the problem was with the default policy rule at the end of the rule list.   It was set, by default, to "permitaccess".  I changed that to "denyaccess" and now non-network AD users are unable to achieve authentication with our network devices.



CreatePlease to create content