Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1689
Views
0
Helpful
2
Replies

ACS User Groups

Go to solution
matt.austin
Level 1
Level 1

‎08-06-2003 10:08 AM - edited ‎02-21-2020 10:07 AM

I have an issue.

We have 2 groups which are created in ACS, Group 1: Tacacs Access, and Group 2:Radius Access. The 1st group has individuals that have been created on the ACS server itself. The 2nd group is dynamic users who are being enabled access through User Manager for Domains. We do not want to have the 2nd group to be able to access our routers and switches with their Microsoft Accounts, which they currently can, atleast as far as to the enable prompt. I would like to have the 2 groups be totally independent of one another. Our 1st group is only used for our administrators to access all our network devices.

I am sure that some type of filtering or allowing of a certain group of IP addresses could be implemented on the ACS, but I am unsure where, if this is the case.

Can someone please help!

Thank You!

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎08-06-2003 10:43 PM

You need to set up Network Access Restrictions (NAR), restricting Group 2 to not be able to access the routers/switches.

Make sure Group-Level NAR is checked under Interface Config - Advanced Options. Then go under Group 2, to the NAR section, check the "Define IP-based access restrictions" box, select Table defines "Denied calling points", then select each of the routers/switches, using an * for Port and Address and add them to the table.

This will deny anyone in Group 2 from authenticating to any of the routers/switches.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎08-06-2003 10:43 PM

You need to set up Network Access Restrictions (NAR), restricting Group 2 to not be able to access the routers/switches.

Make sure Group-Level NAR is checked under Interface Config - Advanced Options. Then go under Group 2, to the NAR section, check the "Define IP-based access restrictions" box, select Table defines "Denied calling points", then select each of the routers/switches, using an * for Port and Address and add them to the table.

This will deny anyone in Group 2 from authenticating to any of the routers/switches.

0 Helpful

Go to solution
matt.austin
Level 1
Level 1
In response to gfullage

‎08-07-2003 01:47 AM

Thanks for your expertise!

The solution you recommended worked great!

I appreciate your assistance, good luck in your endeavors!

0 Helpful
Customers Also Viewed These Support Documents