08-26-2008 08:14 AM
I would like to limit access only to the VLAN port assignment. So I've checked the "VLAN Port Assignment" boxe in the User profile created on my ACS.
The problem is that there is no devices listed under Configuration/VLAN Port Assignment/Device Selector window/All Devices.
When I put the user on the Network Admin group, I can list devices.
Also, I found a security problem. When I limit the access to a NDG, devices under the "All Devices" respect that limitation. But when you go under Campus-Switch Clouds-Switchcloud-1, all devices are listed and I can change the vlan of any interfaces.
Is that normal ?
I'm using LMS 3.1 and ACS 4.1
When a user connects to LMS, the ACS log file show the IP source as the IP of the Ciscoworks server. Is there a way to obtain the user workstation IP to restrict access only from his IPs.
Thanks.
08-26-2008 09:19 AM
First, the fact that Campus Topology doesn't respect ACS roles is a known limitation. This will be fixed in LMS 3.2. See CSCsk11553.
As for not seeing devices, make sure the group to which the user belongs has access to the devices NDG as well as the NDG which contains the LMS server. Make sure this has been done for the Campus Manager application.
08-26-2008 09:51 AM
Thanks again Joe.
For my last question, is there a solution ?
How can I limit the access to Ciscoworks from a specific workstation ie. a specific IP as the ciscoworks do not send the host IP in the TACACS+ request ?
08-26-2008 10:50 AM
No, this cannot be done. Roles are restricted only to user/group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide