Our client has ACS server and implemented AAA fro logging into switches and routers through ACS which is being cofigured RADIUS . They are telnet into rotuers and switches from any user but they are want to setting access from only one user . Can someone plz tell me what can i do to solve yhis problem ?
If I understand this right, you have multiple users that can access the routers and switches right now but would like it so only 1 username has access?
If so, you could use NARS (network access restrictions) and deny access to everyone else but the one specific user.
2.Select the group which "already has" router switch access, edit the group settings
3.Then scroll down to the "per group defined network access restrictions" Enable it with a checkmark.
4. Select deny calling/point
5. AAA client = routers and switches (NDG)
6. Ports = *
7. Address = *
8. Hit enter and the new rule will be added to the window above.
9. Click submit (not submit and restart until you create the other NAR for the other group)
***Remember that groups that are mapped to and outside group (ldap, AD) will be able to connect to your routers and switches UNLESS to tell the ACS not to. By default the ACS doesn't know not to let USER1 access the routers but not allow USER2.
That being said, you'll need to deny access to your routers and switches (network device group) to all groups that are not allowed to connect to those devices.
Click submit and restart but remember this will stop authenticating users for the time its restarting.
Hope this helps and feel free to ask anymore questions.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :