Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2384
Views
4
Helpful
4
Replies

How to configure ACS 3.1 to restrict access to network devices

gfendrick
Level 1
Level 1

‎02-24-2003 12:32 PM - edited ‎03-10-2019 07:09 AM

We are setting up Cisco Secure 3.1 to manage access and command authorization for network devices (i.e. routers/switches).

Our network support engineers telenet into routers on the network . When we use Cisco Secure, if an unauthorized person attempts to login to the router, we want Cisco Secure to fail authentication of the user.

I have read the document "Building a Scalable Network Device Management Framework with the Cisco Secure ACS TACACS+ (RBAC) Server". On page 16 of that document, it states you can use NAR Filtering to restrict access to the network devices.

How do you define the NAR filtering to accomplish this?

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎02-24-2003 04:22 PM

You can configure ACS for command authorization so when the user issue a command, it will be executed only if its authorized by ACS. Here is the link for that

http://www.cisco.com/warp/public/480/PRIV.html

http://www.cisco.com/warp/public/480/8.shtml

Now if you want the users to be authenticated before login to a router/switches, you can issue following command

aaa authentication login default group radius (or tacacs)

After that login access (telnet/console) will be asked for username and password.

0 Helpful

gfendrick
Level 1
Level 1
In response to tepatel

‎02-28-2003 08:55 AM

I think you are on track with what I want to accomplish, but I want to use Cisco Secure ACS to deny the login if the user has not been granted access to the device.

Lets take your authentication example a the next step. Which is where my question lies.

Let suppose the user has telnet'd to a router, and is asked for username and password. I.E. the tacacs authentication you outlined. In our case we will use NT Active Directory to authenticate the user. Now for the next step.....

The user enters his/her valid NT network userid and password. Same as they would when the log into the NT network from their workstation. At this point, ANYONE could log into a router with their NT userid and password. (I don't want that, but hopefully TACACS+ command authorization would stop them from doing anything.)

But what I want to do, is to use NAR so only users authorized to access a router are allowed to successfully login. According to the doc, I should be able to do this.

HOW? I'm trying to figure out what I need to construct/define in Cisco Secure. I would like to do this with Groups of network devices, Groups of users, and then Network Access Restrictions. But I haven't figured out how to correctly define this.

0 Helpful

amir.safayan
Level 1
Level 1

‎02-25-2003 04:52 PM

If you are like me, you have read and re-read many ( and there are NOT many) docs on CCO that relate to the logic and functionality of NAR. I gave up and opened up a TAC case and escalated it to a lead engineer. ACS documentation on CCO is the PITS! I have an all Cisco environments ( Cat 6590s, PIXs, VPN Concentrators, IDS devices etc... My gut feeling is that Cisco has not provided sufficient "white papers" or "best practices" docs for the ACS like they do for many of the platforms mentioned above.

My goal was to tighten wireless access to a subset of of our NT domain accounts. We have a best practices Cisco wireless implementation with WEP enhancements and LEAP authentication. What was missing in Cisco's documentation on this issue was how to optimize the configuration of ACS. With the basic LEAP authentication via ACS to our NT domain, a potential hacker could brute force against our entire NT domain user population. So I set out to use ACS to create a mapping to an NT domain group that consists ONLY of the users who need wireless authentication. As you may know, in NT 4.0, you cannot natively impose password complexity. Even with the MS passfilt.dll for password complexity, you cannot apply it to an individual group. YOU MUST APPLY IT TO THE WHOLE NT USER POPULATION. That is easier said than done when you have 3,000 plus users.

We finally finished the configuration today and hope to cut over tomorrow. I am at home at the moment. When I get to work tomorrow, I will post the solution.

gfendrick
Level 1
Level 1
In response to amir.safayan

‎02-28-2003 08:59 AM

Yes, I agree. I've read the Cisco Secure ACS white papers, and in particular the one covering the subject I'm interested in.....that is how to use ACS to secure administration access to network devices.

The white paper has a lot of good stuff, but is weak in fully explaining how to get it done. We need more complete examples.

0 Helpful
Customers Also Viewed These Support Documents