Relevant background: Win2k3 Active Directory used for passwords, usernames/groups local to ACS (version 4.0), mixture of 2960s, 4900s, 6500s.
Goal: I'm trying to lock down a small set of users (2-4) to have read-only access to a few switches, and zero access to any other.
Current: I have the switches I want this group to access in a Network Device Group (NDG). The users are also in a group. I have given them read-only access. However this group can log into other NDGs' member switches. When they get in they have no enable access, but they can poke around a little bit, and to be honest it would just be cleaner if they couldn't log in at all.
I'm not interested in locking them down via IP, time, or anything other than their group within ACS. Is this even possible?
If you go to Interface Configuration->Advanced options, there is an option "Group-Level Network Access Restrictions". If you check that, then under each group you can define what devices members can authenticate on. Within your read-only group, you can go to the section "Per group defined network access restrictions" and specify which hosts the users can authenticate to. You can also limit them by their source IP, but if you put * in the ip and port field then those users can connect from anywhere just to the hosts you specify.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :