Using ACS Appliance for AAA to Network Device and DOT1X Auth
I would like to perform the following in our environment. I currently have CS ACS Appliance v3.3. I plan to install CS Remote Agent on a Windows 2003 Domain Controller for the backend authentication database using A/D.
Goal: I want to use the ACS to perform authentication for the 5 employees from the Network Team on our network switches and routers using ACS TACACS+. The Network Team needs exec privileges. I would also like to perform DOT1X machine and user authentication using the same ACS as a Radius. General users will not have access to Network Switches and Routers.
Questions I hope you can answer:
1) Do I need to create a group in A/D with just the Network Team accounts and map an ACS group to that A/D group? I assume this will not be the default group in ACS because the Unknown user policy will put general users in this group when they first authenticate if I do not create each user account in a specified group?
2) Do I need to create a group in ACS with the host names of the computers and the user accounts?
3) Has anyone else tried this configuration?
4) Are there any sample deployment docs available that address this specific configuration?
Re: Using ACS Appliance for AAA to Network Device and DOT1X Auth
The problem you have with using AD accounts for 802.1x auth as well as Network admin is mapping the groups. You can't map groups based on service being requested so unless all your Network Team accounts map to the same group you would have used for 802.1x then you have a problem
So the best option is probably to create seperate acccounts inside ACS for network admins, ( a shame I know since passwords will not be in step ).
As for deployment docs there is a white paper I co-authored that describes how to get the most out of T+ Network Admin access.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...