Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
863
Views
0
Helpful
4
Replies

Issue on ACS authentication with tacacs

Go to solution
6dred
Level 1
Level 1

ā€Ž02-01-2012 03:07 AM


Hello

On my organisation we want to begin using ACS with Windows Active Directory to authenticate users
for accessing Network devices.


We have a Cisco Secure ACS v3.3 that we used in the past for a different thing.

As a first test I have configured a network device with the commands on the IOS and I have included
this device on Network configuration -> NetDevices AAA Clients. The user for the test belongs to an AD
group that is going to be the Network administrators group.

So far I have found it easy, seems to work, but the problem is that EVERY USER on a mapped AD gruop can
authenticate and open a sesion on this test device, no matter the group.

The only parameter I have modified on Network Administrators group permissions is
"Privilege level", and set it to 15, but it is not enough. Somewhere should be an option where I
can configure the name of the only group of network administrators.

If I Define a Network Access Restriction on each group "Network Access Restrictions (NAR)" Check
"Denied Calling/Point of Acces Locations" and enter al AAA clients (All AAA Clients *   * )
the user on a this group appears as filtered, but I don't want to modify all the groups, is not
an efficient solution, I am sure that there is a way to configure it properly.

Please, can someone help me to fix this or put here some links to see how the config should be done for
this to work?.

Apologies of this, maybe is such an easy question, but I can not figure out the solution.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zhenningx
Level 4
Level 4
In response to 6dred

ā€Ž02-03-2012 06:38 AM

No you don't want to do group mapping at the IOS device. the IOS device cannot do that. You still need to do group mapping in ACS like you do with Tacacs.

If I understand correctly, you don't want to open IOS device access to everyone in AD. So try following steps with Radius:

1. Configure new group in ACS. If you want to assign privilege level for users in this group, use

cisco-avpair= "shell:priv-lvl=xx":
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1091725
2.Configure group mapping for Windows database to map AD group to ACS group.
3.Create a Network Access Profile, in the authorization policy of the profile, you can configure the policy to only allow the access for certain ACS group but deny all other groups if no condition match.
If you find the post is helpful, pls rate.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
zhenningx
Level 4
Level 4

ā€Ž02-02-2012 07:53 PM

I'd like to know the answer to this as well. seems like no easy solution in ACS 3.x or 4.x. Network Access Profile should be the solution if using radius. Using NAP you can configure ACS to only allow one group and deny all other groups. But NAP does not support Tacacs. You should be able to easily achieve this with ACS5.

0 Helpful

Go to solution
6dred
Level 1
Level 1
In response to zhenningx

ā€Ž02-03-2012 02:32 AM

Thanks zhenningx for your response.

Then, I left the tacacs tests and have returned to configure radius to verify that I can implement these group restrictions.

So I focused on the class attribute [25] IETF RADIUS Attributes. The well-known format: OU = PoliticaAdmin;

[...]

Feb  3 10:27:17.577: RADIUS:  Class               [25]  19 

Feb  3 10:27:17.577: RADIUS:   4F 55 3D 50 6F 6C 69 74 69 63 61 41 64 6D 69 6E  [OU=PoliticaAdmin]

Feb  3 10:27:17.577: RADIUS:   3B                 [ ;]

Feb  3 10:27:17.577: RADIUS:  Class               [25]  41 

[...]

I can see in the log of my test machine access for my user, and this parameter is correctly received. How can

the device pick up the OU in order to realize that the user belongs to that Organizative Unit? I've seen that in an ASA command would be something like "group policy", but is not available for IOS.

Thanks in advance, you are very attentive.

0 Helpful

Go to solution
zhenningx
Level 4
Level 4
In response to 6dred

ā€Ž02-03-2012 06:38 AM

No you don't want to do group mapping at the IOS device. the IOS device cannot do that. You still need to do group mapping in ACS like you do with Tacacs.

If I understand correctly, you don't want to open IOS device access to everyone in AD. So try following steps with Radius:

1. Configure new group in ACS. If you want to assign privilege level for users in this group, use

cisco-avpair= "shell:priv-lvl=xx":
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1091725
2.Configure group mapping for Windows database to map AD group to ACS group.
3.Create a Network Access Profile, in the authorization policy of the profile, you can configure the policy to only allow the access for certain ACS group but deny all other groups if no condition match.
If you find the post is helpful, pls rate.
0 Helpful

Go to solution
6dred
Level 1
Level 1
In response to zhenningx

ā€Ž02-05-2012 11:43 PM

Hello, zhenningx

These steps should work on Release 4.0:

[...]

Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, includes Network Access Profile (NAP) support.

[...]

But in v3.3 it doesn't apear the Profile Setup.

Actually, I had found this procedure (Create a NAP)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/nac_conf.html#wp998994

But no way, I can't complete it.

Thanks anyway, really appreciate your help.

0 Helpful
Customers Also Viewed These Support Documents