I have made great progress configuring my ACS 5.1 for tacacs+ services. However, there is one thing that is not working quite as I expected.
Instead of creating local ACS accounts for our network group I've decided to use the group setup in AD for our network team to authenticate and provide full access (privilege 15) to network team members.
Under Access Policies "Default Device Admin" I chose the AD1 identity source and then under "Authorization" created rules that seem to work only for authorization. AD users that are not in the network group are not authorized to execute any commands on our network devices.
However, what bothers me is that these non-network team AD users (in other AD groups) are still able to authenticate to the devices. They are granted the "permit access" shell profile according to the logs.
I would like it so that non-network AD users are not even authenticated to the network devices.
Does anyone have any thoughts on how I can accomplish this. I only want to see network team members authenticated to network devices. I am sure it is something simple I am missing. How can I grant "deny access" shell profile to any AD user that is not in the AD network team group?
Thanks for the information. Turned out the problem was with the default policy rule at the end of the rule list. It was set, by default, to "permitaccess". I changed that to "denyaccess" and now non-network AD users are unable to achieve authentication with our network devices.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :