Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
10
Helpful
3
Replies

Verify Group access in ACS

wilson_1234_2
Level 3
Level 3

‎10-04-2007 07:23 AM

I am trying to understand how to configre a more granular access to the network via group network access restriction.

Basically, we have several groups set up, but I think they are all allowed access to everything.

I have remote users that work for the company that need access to network resources, but none of the network gear.

we also have third parties that have access to Firewalls for management and another third party that has access to routers and switches.

I need to make sure everything is controlled and they only have access to what we want to allow.

What does "Shared Network Access Restictions" allow you to do?

I am unable to view anything in "View IP NAR" after selecting the

"Only allow network access when"

In Per Group Defined Network Access Restrictions, I have the checkmark on

"Define IP Based access restrictions"

and

"Permitted Calling/Point of access Locations"

Do you set one as permit and the other as deny?

What if you want to allow access to servers, do you have to add every port in the box shown?

If Network Access Restrictions are not configured, does the user in that group have access to everything?

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎10-06-2007 05:27 AM

Hi,

If you allow only one device in "Permitted Calling/Point of access Locations" then rest all devices would be denied access.

If you deny one device then rest all devices would be allowed.

If NAR's is not configured then acs will allow user to login in to all aaa clients. But other way is if you use ex db then you can set mapping for some groups and deny rest of the combinations.

Example :

ACS ---> Ex db---> Ext db group mapping,

AD Group ACS

domain user <====> Group1

domain admin<====> Group2

All other combination<==> No Acsess

That means only if user is a part of AD group (domain admin or domain user) acs will authorize that user as per condition defined in acs groups BUT any user who is not a part of above AD group would not be allowed to login due to the reason we have set mapping (all other combinations = No access)

So , in your scenario this is what you need to do,

Let say we have acs group 1 ( we want this group to be allow access only to Firewalls)

We will set up NAR's as per the attached file. You need to set up both IP based and CLI/DNIS based NAR.

Let me know if you have any doubts.

Regards,

~JG

Please rate helpful posts.

Preview file
199 KB

wilson_1234_2
Level 3
Level 3
In response to Jagdeep Gambhir

‎10-06-2007 04:21 PM

Thank you for the informative post.

Does the document show that wildcard (*) can be used for all ports and all addresses?

In "IP Based Access Restriction" can I use the groups defined in "Network Configuration" in the ACS?

What is the difference between "IP Based Access Restriction" and "CLI/DNIS access restriction"?

Why do I need to define both of the above?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to wilson_1234_2

‎10-08-2007 02:49 PM

Hi Wilson,

Yes, in ip based access restriction you can use groups defined in "Network Configuration" in the ACS.

CLI/DNIS is used in restricting a AAA client when you do not have an established IP-based connection. Like PPP , wireless.

It is not necessary to use both. If request is coming have a IP address then there is no need to use CLI based NAR.

Regards,

~JG

Customers Also Viewed These Support Documents