Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ACS 5.4 AD Integration Allows All Users

Hello,

I've been struggling to find out why our ACS deployment allows everyone within AD to login to our devices.  They are not able to do anything because of the command authorization but I don't understand why EVERYONE is allowed in when I specified a specific group to only be allowed access.  That group is allowed full access which is fine but it still bothers me that anyone on our domain can just log in period.

Any thoughts?  Thanks.

Matt

1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.4 AD Integration Allows All Users

Hello Matt,

Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.

Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)

Check my blog at http:laguiadelnetworking.com  and subscribe so you can get daily information about networking.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

ACS 5.4 AD Integration Allows All Users

Hello Matt,

Just by specifying a group in a policy does not mean that the rest of users on different groups will get denied.

Make sure that the default action for that policy (I mean if you do not match the previously configured rule) is drop (Then it should work as you want)

Check my blog at http:laguiadelnetworking.com  and subscribe so you can get daily information about networking.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re: ACS 5.4 AD Integration Allows All Users

Much like the previous user said, you will need to check your default policy is set to deny.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*

Re: ACS 5.4 AD Integration Allows All Users

Do you still have any questions??

Otherwise mark the question as answered

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ACS 5.4 AD Integration Allows All Users

Identity was already set to drop, the way to fix my issue actually was to CREATE a deny policy under authorization. 

New Member

Re: ACS 5.4 AD Integration Allows All Users

The IP addresses and subnet masks that are associated with the network device. Select to enter a single IP address or to define a range.

for the steps to get the job done please go through the link below:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/net_resources.html#wp1060126

243
Views
0
Helpful
5
Replies
CreatePlease to create content