Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue on ACS authentication with tacacs


Hello

On my organisation we want to begin using ACS with Windows Active Directory to authenticate users
for accessing Network devices.


We have a Cisco Secure ACS v3.3 that we used in the past for a different thing.

As a first test I have configured a network device with the commands on the IOS and I have included
this device on Network configuration -> NetDevices AAA Clients. The user for the test belongs to an AD
group that is going to be the Network administrators group.

So far I have found it easy, seems to work, but the problem is that EVERY USER on a mapped AD gruop can
authenticate and open a sesion on this test device, no matter the group.

The only parameter I have modified on Network Administrators group permissions is
"Privilege level", and set it to 15, but it is not enough. Somewhere should be an option where I
can configure the name of the only group of network administrators.

If I Define a Network Access Restriction on each group "Network Access Restrictions (NAR)" Check
"Denied Calling/Point of Acces Locations" and enter al AAA clients (All AAA Clients *   * )
the user on a this group appears as filtered, but I don't want to modify all the groups, is not
an efficient solution, I am sure that there is a way to configure it properly.

Please, can someone help me to fix this or put here some links to see how the config should be done for
this to work?.

Apologies of this, maybe is such an easy question, but I can not figure out the solution.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Issue on ACS authentication with tacacs

No you don't want to do group mapping at the IOS device. the IOS device cannot do that. You still need to do group mapping in ACS like you do with Tacacs.

If I understand correctly, you don't want to open IOS device access to everyone in AD. So try following steps with Radius:

1. Configure new group in ACS. If you want to assign privilege level for users in this group, use

cisco-avpair= "shell:priv-lvl=xx":

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1091725

2.Configure group mapping for Windows database to map AD group to ACS group.

3.Create a Network Access Profile, in the authorization policy of the profile, you can configure the policy to only allow the access for certain ACS group but deny all other groups if no condition match.

If you find the post is helpful, pls rate.

4 REPLIES
Bronze

Issue on ACS authentication with tacacs

I'd like to know the answer to this as well. seems like no easy solution in ACS 3.x or 4.x. Network Access Profile should be the solution if using radius. Using NAP you can configure ACS to only allow one group and deny all other groups. But NAP does not support Tacacs. You should be able to easily achieve this with ACS5.

New Member

Issue on ACS authentication with tacacs

Thanks zhenningx for your response.

Then, I left the tacacs tests and have returned to configure radius to verify that I can implement these group restrictions.

So I focused on the class attribute [25] IETF RADIUS Attributes. The well-known format: OU = PoliticaAdmin;

[...]

Feb  3 10:27:17.577: RADIUS:  Class               [25]  19 

Feb  3 10:27:17.577: RADIUS:   4F 55 3D 50 6F 6C 69 74 69 63 61 41 64 6D 69 6E  [OU=PoliticaAdmin]

Feb  3 10:27:17.577: RADIUS:   3B                 [ ;]

Feb  3 10:27:17.577: RADIUS:  Class               [25]  41 

[...]

I can see in the log of my test machine access for my user, and this parameter is correctly received. How can

the device pick up the OU in order to realize that the user belongs to that Organizative Unit? I've seen that in an ASA command would be something like "group policy", but is not available for IOS.

Thanks in advance, you are very attentive.

Bronze

Re: Issue on ACS authentication with tacacs

No you don't want to do group mapping at the IOS device. the IOS device cannot do that. You still need to do group mapping in ACS like you do with Tacacs.

If I understand correctly, you don't want to open IOS device access to everyone in AD. So try following steps with Radius:

1. Configure new group in ACS. If you want to assign privilege level for users in this group, use

cisco-avpair= "shell:priv-lvl=xx":

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1091725

2.Configure group mapping for Windows database to map AD group to ACS group.

3.Create a Network Access Profile, in the authorization policy of the profile, you can configure the policy to only allow the access for certain ACS group but deny all other groups if no condition match.

If you find the post is helpful, pls rate.

New Member

Re: Issue on ACS authentication with tacacs

Hello, zhenningx

These steps should work on Release 4.0:

[...]

Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, includes Network Access Profile (NAP) support.

[...]

But in v3.3 it doesn't apear the Profile Setup.

Actually, I had found this procedure (Create a NAP)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/nac_conf.html#wp998994

But no way, I can't complete it.

Thanks anyway, really appreciate your help.

585
Views
0
Helpful
4
Replies