Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Silver

ACS PEAP - Deny login to AP based on groups

Hello,

I have some WiFi AP and I am working on to introduce centralized authentication with ACS: using PEAP. All MAC address is registered in ACS as user and my question is how can I forbid for these MAC addresses (users) that they can't access the VTY of APs? Since now with MAC address (username) and password (same MAC) I can login to the AP, what is not so secure..

Thanks in advance,

FCS

5 REPLIES
Silver

Re: ACS PEAP - Deny login to AP based on groups

I think you could try adding Network Access Restrictions to the ACS group(s) that the users are a member of.

The problem of course is you either need to list all the devices that *can* access the VTY ports or the devices that *cant*. Either list could be very long.

Could you consider using VLAN/ACLs in the user session to prevent access to the APs themselves?

Community Member

Re: ACS PEAP - Deny login to AP based on groups

you need to configure login and/or authorization on your AP to allow only certain users/groups from TACACS+ server (ACS). These users/groups are then configured with TACACS+ access level/privilege in ACS.

Cisco Employee

Re: ACS PEAP - Deny login to AP based on groups

Hi,

If you are using Tacacs for your telnet authentication then simply uncheck "Shell (exec)" in the groups which you do not want into the vty.

If you are using Radius for telnet authentication then you will need to configure NARs on the group. NAR can be based on the NDG hence not many entries will be required in NAR

Community Member

Re: ACS PEAP - Deny login to AP based on groups

Hi there,

I have a similar situation, which uses RADIUS for LEAP and telnet / SSH / HTTP access to APs, IOS switches and ASAs.

Is there a quick way of creating a NAR for these or any other method of restricting access?

Is anyone aware of a list of NAS ports used with RADIUS shell authentication so they can all be blocked? Or conversely, the NAS ports required for valid traffic?

The end goal is to permit only admin accounts shell access to the network devices, but allow VPN and wireless users to authenticate for network connectivity.

TIA and best regards,

Luke

Silver

Re: ACS PEAP - Deny login to AP based on groups

Hello,

YOu can deny access to the devices using cisco-av-pair Cisco IOS/PIX Radius attribute.

[009\001] cisco-av-pair

shell:autocmd=exit

I use this way, and it works.

Let's check it...

Bye FCS

Please rate me if I helped.

180
Views
0
Helpful
5
Replies
CreatePlease to create content