Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
0
Helpful
6
Replies

How to stop ACS intergated AD users to login in AAA clients(network device)

sunil.aroraa
Level 1
Level 1

‎08-13-2009 08:26 AM - edited ‎03-10-2019 04:38 PM

I have ACS 4.2 Appliance which is integrated with Active directory.

AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

Labels:
0 Helpful
6 Replies 6

sunil.aroraa
Level 1
Level 1
In response to Robert.N.Barrett_2

‎08-13-2009 07:52 PM

HI Robert,

Thanks for your reply.

But I'm not talking about administration of ACS applinace. The concern is to stop the external database user to login in network devices (AAA clients).

0 Helpful

Robert.N.Barrett_2
Level 4
Level 4
In response to sunil.aroraa

‎08-14-2009 09:53 AM

These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.

What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?

For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):

aaa group server radius rad_admin

server xxx.xxx.xxx.xxx

aaa group server tacacs+ tac_admin

server xxx.xxx.xxx.xxx

If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

0 Helpful

Robert.N.Barrett_2
Level 4
Level 4
In response to sunil.aroraa

‎08-14-2009 10:01 AM

As a follow-up, let's assume you want to use ACS to authenticate admin access to your AAA clients, but you don't want ACS to check against AD.

If you are using TACACS+ for admin auth, and the admin users are in the local database on the ACS server, then I think you just need to go to your AAA client definition on the ACS server and scroll down to the "Tacacs+ login/enable authentication" section and select the appropriate "Authenticate Using" option.

0 Helpful

sunil.aroraa
Level 1
Level 1
In response to Robert.N.Barrett_2

‎08-15-2009 11:34 PM

Yes, I don't want ACS to check credentials against AD and wants to denied the access to users for AAA clients (routers and switches) which are not local database of ACS. OR I can restrict the only specific user or groups to login in AAA clients.

I haven't found any option for it. As you said, scroll down to "Tacacs+ login/enable authentication" section but I was not able to find this option. Can you please elaborate this or can give the path and screen shot for the same.

I'll appreciate your efforts so solve the issue.

0 Helpful

sunil.aroraa
Level 1
Level 1
In response to Robert.N.Barrett_2

‎02-01-2010 02:22 AM

Hi,

My problem havn't resolved yet and i'm still looking for solution. I have not found " Authenticate Using" option in ACS.

l'll appriciate if you can excatly let me know where I can find this option.

Thanks in advance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents