I'm working with CiscoSecure ACS 3.0 for Windows and have a client who wants to authenticate users via TACACS for their routers. Basic authentication is working fine. They are looking to only allow one group of users log in to a few routers, and everyone else able to login into all routers.
They have created 2 groups, one for everyone, and the other group for the few users who only need to login to the few routers.
I'm trying to find a way within ACS to only permit that groups users to only be able to authenticate on those specified devices only. So far, I haven't been able to find a way to do this. The customer would rather do this via TACACS then use access-lists, access-classes, or local username database on the routers.
Does anyone have any ideas on how to do this in ACS?
Under the 'Group Setting' for the group you want to minimize access for, look for the Network Access Restrictions area (just below the default time of day and callback settings). Check the check box. Specify in the Table Defines pull down 'Permitted Calling/Point of Access Locations'. In the Access Server pull down, look for one of the routers you want to give this group access to. Just put an asterisk (*) in the Port and Address field. Then click the enter button to add the NAS. Continue adding NAS' in the same manner.
Thanks alot... that did it. I was just about to read up on the network access restrictions. I haven't really used ACS that much but now have been playing with it the past 2-3 days and think I have a fairly good understanding now.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :