How to require user group membership to access via a given NAS?
I am attempting to configure our new ACS (Release 3.2(1) Build 20) as the RADIUS server for several network access servers.
For simplicity, suppose I have only two NASes, a switch and CiscoWorks VMS. A user might deserve access to one, the other, both or neither.
No users are defined on the ACS itself. All user authentication & authorization info is stored in our LDAP. Since the users are external to ACS, they are mapped to an ACS group whenever they attempt to gain access through a NAS. This mapping is based on their memberships in LDAP groups. They are always mapped to a *single* group because the ACS does not support the idea of users being in multiple groups. Consequently, I had to create 4 ACS groups for the combinations of LDAP group memberships: Switch+VMS, Switch+noVMS, noSwitch+VMS, noSwitch+noVMS. By making this the mapping order, I can guarantee that a user will land in the correct ACS group for their combination of rights.
Now I need to configure the ACS so that when a request arrives from the switch, access is granted if the user is in Switch+VMS or Switch+noVMS, but not if the user is in noSwitch+VMS or noSwitch+noVMS. I need to do the analogous thing for VMS. How do I do that?
I have tried using Shared Network Access Restrictions to accomplish this. I created two NARs, nar_NASisSwitch and nar_NASisVMS. For nar_NASisSwitch, I turned on "Defined IP-based access restrictions" and "Table defines Permitted Calling/Point of Access Locations." I added the switch from the list of defined AAA clients, and used all ports and all Src IP Addys ("*" and "*"). I did the analogous thing for nar_NASisVMS.
Next I added these NARs to the groups. The example below is for Switch+noVMS.
Shared Network Access Restrictions
[X] Only allow network access when
( ) All selected NARs result in permit
(X) Any one selected NAR results in permit
NARs Selected NARs
Here is the problem: Suppose a user has access to the switch but not to VMS. When he attempts to log in through VMS, he is correctly mapped into the Switch+noVMS ACS group. The NAR is then checked. Unfortunately, the NAR simply says "permit if NAS is Switch"-- it does NOT say DENY OTHERWISE. When I check the Passed Authentications log, the message is:
"Access Filter nar_NASisSwitch from Switch+noVMS did not fail any criteria. This is sufficient to satisfy an 'Any Selected' SPC NAR config."
and the user is permitted access through VMS even when he shouldn't be.
Another alternative is to use "deny" NARs instead of "permit" ones. Unfortunately, that would mean that I'd have to revisit every NAR every time I added a new device.
So, how can I configure the ACS so that when a request arrives from the switch, access is granted if the user is in Switch+VMS or Switch+noVMS, but not if the user is in noSwitch+VMS or noSwitch+noVMS? That is, how do I *link* a NAS to the set of groups, such that the user must be a member of one of them before access can be granted?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...