Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Denying AAA Clients to a specific user group in ACS v4.1

Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??

thanks in advance,

dave

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Denying AAA Clients to a specific user group in ACS v4.1

You can set it up using NAR in ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

~JG

Do rate helpful posts

Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Hi,

Why don't you use NAR (Network access restriction)

Under the network config > simply create one NDG and assign all the voice router under it.

After that go to the group/user where you want to put this restriction

You need to check that what are we getting in calling station id. If we are getting ip address then

[1] To accomplish above we would configure the group with following

NAR (network access restriction)

Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *

Subit the changes and try.

Here is more on configuring Network Access Restriction:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
13 REPLIES

Re: Denying AAA Clients to a specific user group in ACS v4.1

You can set it up using NAR in ACS.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

~JG

Do rate helpful posts

Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

I looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?

Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Hi,

Just checked your reply.

Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.

Check this::

Create two NDG's one for voice routers and other for data router's.

Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.

since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set

Assign a Shell Command Authorization Set on a per Network Device Group Basis

Here you can map VOICE router's NDG with respective command authorization set.

So this way we can denied access to data routers and restricted access to voice router's.

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Hi,

Why don't you use NAR (Network access restriction)

Under the network config > simply create one NDG and assign all the voice router under it.

After that go to the group/user where you want to put this restriction

You need to check that what are we getting in calling station id. If we are getting ip address then

[1] To accomplish above we would configure the group with following

NAR (network access restriction)

Define IP based Network Access Restriction

Permitted Calling Point

AAA client: VOICE NDG created

Port *

Src IP Address *

Subit the changes and try.

Here is more on configuring Network Access Restriction:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/user/guide/GrpMgt.html#wp478900

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

Thanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users...

Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

What do the stars mean, is it a wild card?

If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router.

Re: Denying AAA Clients to a specific user group in ACS v4.1

Yes it is a wild card.

Yes, if condition is deny for all aaa-client then that group will not have access to all clients.

Access denied.

Regards,

~JG

Do rate helpful posts

Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Hi Kelvin,

You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.

If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

OK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?

Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Hi kelvin,

They will be able to connect if you are using ASA for VPN using radius protocol.

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

I am guessing if it is using TACACS then it is going to be a problem, am i right?

Cisco Employee

Re: Denying AAA Clients to a specific user group in ACS v4.1

Kelvin,

You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.

HTH

JK

Plz rate helpful posts-

~Jatin Katyal
Community Member

Re: Denying AAA Clients to a specific user group in ACS v4.1

ACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.

306
Views
20
Helpful
13
Replies
CreatePlease to create content