Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Not allowing CSACS users to auth to FW/RTR

We are using our CSACS server to authenticate wireless users. I am finding thoguh that I cannot add users to the wireless user group and allow them to authenticate via the APs without them also having access to our network infrastrucutre (routers/switches/firewalls).

How do I stop a user/group from being able to authenticate to devices? I only want them to authenticate if the request is coming from the APs.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Not allowing CSACS users to auth to FW/RTR

Use the Network Access Restrictions (NAR) section under the Group in ACS, specifically the "Per Group NAR" section. You would put all your wireless users into a specific group in ACS, and then add in your wireless AP's in as "Permitted Calling Points" under the "Define IP-based access restrictions", meaning those users are allowed to authenticate against them, but not anything else. Put an * in for the Port and Address values, you don't care about those, only the fact that the authentication request is coming from an AP.

If you go under Interface Configuration - Advanced options and enabled Network Device Groups (NDG's), you can also put all your AP's under one NDG and then just define that NDG in as a Permitted Calling Point

1 REPLY
Cisco Employee

Re: Not allowing CSACS users to auth to FW/RTR

Use the Network Access Restrictions (NAR) section under the Group in ACS, specifically the "Per Group NAR" section. You would put all your wireless users into a specific group in ACS, and then add in your wireless AP's in as "Permitted Calling Points" under the "Define IP-based access restrictions", meaning those users are allowed to authenticate against them, but not anything else. Put an * in for the Port and Address values, you don't care about those, only the fact that the authentication request is coming from an AP.

If you go under Interface Configuration - Advanced options and enabled Network Device Groups (NDG's), you can also put all your AP's under one NDG and then just define that NDG in as a Permitted Calling Point

109
Views
0
Helpful
1
Replies
CreatePlease to create content