Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
2
Replies

Control access to network device with ACS

Go to solution
dwhisinnand
Level 1
Level 1

‎02-10-2006 12:13 PM - edited ‎03-10-2019 02:28 PM

Hi all!

Currently I have in place a Cisco Secure ACS Appliance using Windows as the back end authentication. Cisco Secure is acting as TACACS+ server. I have two groups defined in Cisco Secure: Netadmins and ITD Security. The users in the Netadmins group need access to all switches and routers on the network. ITD Security only needs access to async line 53 on a 2611 router for an out of band connection to a firewall and no other access to any network devices. How can I limit access for the Cisco Secure group “ITD Security” to line 53 only?

My current config on this router is:

aaa new-model

aaa authentication login netadmins group tacacs+ line

aaa authentication login ITDSEC group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX

line 53

no exec

login authentication ITDSEC

transport input all

stopbits 1

speed 115200

line vty 0 4

exec-timeout 30 0

timeout login response 120

login authentication netadmins

but the users in the “ITD Security” can still gain access by vty and then reverse telnet to any async line on the router. Additionally, users in the “ITD Security” can still access any other switch or router using telnet: what should my configuration on those device be? Do I need to do some configuration in ACS?

All other devices:

aaa new-model

aaa authentication login netadmins group tacacs+ line

tacacs-server host 10.30.X.X

tacacs-server host 10.18.X.X

tacacs-server key XXXXXXX

line con 0

password 7 141C015C5806

login authentication netadmins

line vty 0 4

password 7 11020A524310

login authentication netadmins

line vty 5 15

password 7 11020A524310

login authentication netadmins

Any help will be greatly appriciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
darpotter
Level 5
Level 5

‎02-13-2006 06:47 AM

Hi

In the Security group I would create an IP Network Access Restriction with a permit entry. Basically to allow access to the single port on 2611 only.

The AAA Client field is the name you've given to the 2611 in network config. Address will be * unless you want to restrict access to one or ip address. Port... never quite sure with async whether the port value should be "async 53" or "line 53".

If you look in passed/failed attempts for the nas-port attribute you'll see what T+ is sending to ACS. This should help you know what to put in the NAR.

Darran

View solution in original post

0 Helpful
2 Replies 2

Go to solution
darpotter
Level 5
Level 5

‎02-13-2006 06:47 AM

Hi

In the Security group I would create an IP Network Access Restriction with a permit entry. Basically to allow access to the single port on 2611 only.

The AAA Client field is the name you've given to the 2611 in network config. Address will be * unless you want to restrict access to one or ip address. Port... never quite sure with async whether the port value should be "async 53" or "line 53".

If you look in passed/failed attempts for the nas-port attribute you'll see what T+ is sending to ACS. This should help you know what to put in the NAR.

Darran

0 Helpful

Go to solution
dwhisinnand
Level 1
Level 1
In response to darpotter

‎02-13-2006 08:52 AM

Darren

Thank you very much for the help. I looked at the failed attempts log and found the NAS-Port to be tty53. I created an IP-based NAR for the security group in ACS and used port tty53 for the AAA client.

Problem sovled!

-David

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents