Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to stop ACS intergated AD users to login in AAA clients(network device)

I have ACS 4.2 Appliance which is integrated with Active directory.

AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

6 REPLIES

Re: How to stop ACS intergated AD users to login in AAA clients(

New Member

Re: How to stop ACS intergated AD users to login in AAA clients(

HI Robert,

Thanks for your reply.

But I'm not talking about administration of ACS applinace. The concern is to stop the external database user to login in network devices (AAA clients).

Re: How to stop ACS intergated AD users to login in AAA clients(

These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.

What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?

For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):

aaa group server radius rad_admin

server xxx.xxx.xxx.xxx

aaa group server tacacs+ tac_admin

server xxx.xxx.xxx.xxx

If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

Re: How to stop ACS intergated AD users to login in AAA clients(

As a follow-up, let's assume you want to use ACS to authenticate admin access to your AAA clients, but you don't want ACS to check against AD.

If you are using TACACS+ for admin auth, and the admin users are in the local database on the ACS server, then I think you just need to go to your AAA client definition on the ACS server and scroll down to the "Tacacs+ login/enable authentication" section and select the appropriate "Authenticate Using" option.

New Member

Re: How to stop ACS intergated AD users to login in AAA clients(

Yes, I don't want ACS to check credentials against AD and wants to denied the access to users for AAA clients (routers and switches) which are not local database of ACS. OR I can restrict the only specific user or groups to login in AAA clients.

I haven't found any option for it. As you said, scroll down to "Tacacs+ login/enable authentication" section but I was not able to find this option. Can you please elaborate this or can give the path and screen shot for the same.

I'll appreciate your efforts so solve the issue.

New Member

Re: How to stop ACS intergated AD users to login in AAA clients(

Hi,

My problem havn't resolved yet and i'm still looking for solution. I have not found " Authenticate Using" option in ACS.

l'll appriciate if you can excatly let me know where I can find this option.

Thanks in advance.

344
Views
0
Helpful
6
Replies
CreatePlease login to create content