Login privs based on username - ACS 4.0 + AD

ktokash · ‎10-16-2006

Relevant background: Win2k3 Active Directory used for passwords, usernames/groups local to ACS (version 4.0), mixture of 2960s, 4900s, 6500s.

Goal: I'm trying to lock down a small set of users (2-4) to have read-only access to a few switches, and zero access to any other.

Current: I have the switches I want this group to access in a Network Device Group (NDG). The users are also in a group. I have given them read-only access. However this group can log into other NDGs' member switches. When they get in they have no enable access, but they can poke around a little bit, and to be honest it would just be cleaner if they couldn't log in at all.

I'm not interested in locking them down via IP, time, or anything other than their group within ACS. Is this even possible?

ethiel · ‎10-20-2006

If you go to Interface Configuration->Advanced options, there is an option "Group-Level Network Access Restrictions". If you check that, then under each group you can define what devices members can authenticate on. Within your read-only group, you can go to the section "Per group defined network access restrictions" and specify which hosts the users can authenticate to. You can also limit them by their source IP, but if you put * in the ip and port field then those users can connect from anywhere just to the hosts you specify.

-Eric

Please remember to rate all helpful posts.

ktokash · ‎10-26-2006

Muchas thanksas man, that worked just fine. In order to get a little "solved" star, I should add that one must then apply the NAR under the group settings.