Re: Radius and TACACS username with ACS 3.0

rrcarter79 · ‎01-13-2003

I'm using:

CiscoSecure ACS v3.0 for Windows 2000/NT

Release 3.0(1) Build 32

My network routers and switches are from multiple vendors, Cisco, Extreme, and HP. Some of the equipment supports radius, some Tacacs, and some both protocols.

I want to control aaccess and administration of the network equipment.

I have configured several users in ACS. I have assigned the network equipment with authenication using either radius (IETF) or tacacs+ (cisco ios).

I would like to create user names to associate with specific devices. So a set of radius users and a set of tacacs users to acess the appropriate devices or a subset of devices.

Is there anyway to seperate the usernames to used by specific devices within ACS or do I need to use seperate servers? Maybe associate a user name or user group with a device?

Thanks

gfullage · ‎01-13-2003

Sure. Put all your users into specific groups. Then in the group go into the Network Access Restrictions Section (near the top), check the "Per User Defined Network Access Restrictions " box, the select the device in the AAA Client drop down box, and use * for both Port and Address. Enter in each device one-by-one until you've got them all. Submit + Restart.

Now the users in that group will only be able to authenticate when connecting from one of those devices, any other device will result in a failed authentication.

If you want to get really good, you can define Network Device Groups and then define that in the NAR instead of each separate device. Or you can go under Shared Profile Components and define a Shared NAR and then define that in the group config.

There's multiple ways to do it, have fun.

rrcarter79 · ‎01-13-2003

Thank you for the quick response. That appears simple enough.

I am testing with a Cisco router (TACACS) and an Extreme switch (RADIUS)

I setup 2 Network Device Groups

- Cisco Equipment

- Extreme Equipment

I assigned a Cisco router to the NDG Cisco Equipment

I assigned an Extreme switch to the NDG Extreme Equipment

I created 2 user groups

- group Cisco - associated NAR's NDG Cisco Equipment

- group Extreme - associated NAR's NDG Extreme Equipment

I created 4 users

- 2 users in group Cisco

- 2 users in group Extreme

The Cisco router only allows the usernames that are associated with the NDG Cisco equipment. This is works how I would like.

The Extreme switch is allowing all usernames to login. This is not what I would like to happen.

Is there something I'm missing? I used a "*" for the address and port. Should I use the IP address and TACACS+ TCP or RADIUS UDP port number?

gfullage · ‎01-13-2003

The port number specifies the port number on the device that the user connects in on, you don't want to specify this as you'll probably never know what this will be. It's not referencing a TCP or UDP port number.

Try enabling the "Define CLI/DNIS-based access restrictions" section in the NAR and adding the Extreme switch into this, rather than in the IP-based access restrictions section. Depending on the format of the Radius request from the device, ACS can sometimes think it should use this section to check against. For example, if you use a VPN3000 to authenticate users against and you want to add it into a NAR, you have to add it into the CLI/DNIS section in ACS cause the format of the Radius packet is slightly different than with a router.

Use * for Port, CLI and DNIS when adding it in.

rrcarter79 · ‎01-14-2003

Thank you - yes the port is the destination port not the source.

I made the recommend modifications with no change in behavior.

The Extreme switch ( radius (IETF) ) stills allows the usernames associated with the Cisco router to login.

The Cisco router does not allow the users associated with the Extreme switch to login.

rrcarter79 · ‎01-14-2003

A second try.

Instead of putting the extreme switch in the CLI access restrictions I put the Cisco equipment in there.

Everything appears to working as I want. I have a few more tests to conduct.

Thank You