Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Misconfigured ACS 5.5 allowing VPN users to log on to switches.

I've recently inherited an ACS 5.5 server that was upgraded from 4.1 a few weeks ago before I joined the company.

 

While digging through the config I noticed a lot of local users in a VPN group and while testing my credentials I found that I was able to use my VPN credentials to SSH in to my switches.

 

It appears that little work was done one the migration was complete. I believe that the issue resolves around the default policy being set to permit any user. Currently there are rules to all our admin group to access our APC devices and a 2nd rule for the admin group to access the switches, but because of the default permit any any VPN user can also access any of the network devices.

 

It's been a few years since I setup a "new" 5.x ACS server and in the past I was using AD mappings to restrict the VPN users to only the VPN, and I'm feeling a bit rusty on how to correct this.

1 REPLY
Silver

RADIUS or TACACS+ ?

RADIUS or TACACS+ ?

31
Views
0
Helpful
1
Replies