Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
1
Replies

Not allowing CSACS users to auth to FW/RTR

Go to solution
slug420
Level 1
Level 1

‎03-21-2006 07:10 AM - edited ‎03-10-2019 02:30 PM

We are using our CSACS server to authenticate wireless users. I am finding thoguh that I cannot add users to the wireless user group and allow them to authenticate via the APs without them also having access to our network infrastrucutre (routers/switches/firewalls).

How do I stop a user/group from being able to authenticate to devices? I only want them to authenticate if the request is coming from the APs.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-22-2006 03:29 PM

Use the Network Access Restrictions (NAR) section under the Group in ACS, specifically the "Per Group NAR" section. You would put all your wireless users into a specific group in ACS, and then add in your wireless AP's in as "Permitted Calling Points" under the "Define IP-based access restrictions", meaning those users are allowed to authenticate against them, but not anything else. Put an * in for the Port and Address values, you don't care about those, only the fact that the authentication request is coming from an AP.

If you go under Interface Configuration - Advanced options and enabled Network Device Groups (NDG's), you can also put all your AP's under one NDG and then just define that NDG in as a Permitted Calling Point

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-22-2006 03:29 PM

Use the Network Access Restrictions (NAR) section under the Group in ACS, specifically the "Per Group NAR" section. You would put all your wireless users into a specific group in ACS, and then add in your wireless AP's in as "Permitted Calling Points" under the "Define IP-based access restrictions", meaning those users are allowed to authenticate against them, but not anything else. Put an * in for the Port and Address values, you don't care about those, only the fact that the authentication request is coming from an AP.

If you go under Interface Configuration - Advanced options and enabled Network Device Groups (NDG's), you can also put all your AP's under one NDG and then just define that NDG in as a Permitted Calling Point

0 Helpful
Customers Also Viewed These Support Documents