Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Groups Authentication with ACS

I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.

I configure my Cisco 3750 with the following commands for authentication.

aaa new-model

aaa authentication login NetworkAdmins group tacacs+ local

aaa authorization exec NetworkAdmins group tacacs+ local

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa session-id common

The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?

Thanks for the help!!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Windows Groups Authentication with ACS

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

8 REPLIES

Re: Windows Groups Authentication with ACS

In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).

Hope that helps.

New Member

Re: Windows Groups Authentication with ACS

That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password.

Thanks again

Re: Windows Groups Authentication with ACS

In your router/switch...

config t

line vty 0 4

privilege level 15

That should do it! You can't do it with firewalls, they force you to enter the enable password.

New Member

Re: Windows Groups Authentication with ACS

Excellent!! Is there anyway to do it per user instead of any vty session?

Thanks again!!!!

Re: Windows Groups Authentication with ACS

Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.

New Member

Re: Windows Groups Authentication with ACS

Would you specify the authorizations groups using the following command then?

aaa authorization commands 3 NetworkUsers group tacacs+ local

Re: Windows Groups Authentication with ACS

I do it in ACS. I've attached a little write up I did for reference. I hope it helps.

New Member

Re: Windows Groups Authentication with ACS

I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!

140
Views
0
Helpful
8
Replies