Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS server v3.2 group based access control

Hi, My ACS server have many groups and unknown user policy defied to look up with external AD.

I want to restric a specific networking device access limited to users in a specific group.

What is happening now, if user is not in the ACS user list, ACS look in to AD and authenticate the users to that networking device.

It is a PIX with VPN client access, user have to vpn clinet in to this PIX to access the network behind the PIX.

Any advice will be much appreciated.

3 REPLIES
Gold

Re: ACS server v3.2 group based access control

Use NAR (Network access restriction) - under group properities check field define IP-based access restriction and select - denied calling/point of access locations than select proper AAA client...

Check this for more details

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

M.

Hope that helps rate if it does

Community Member

Re: ACS server v3.2 group based access control

Hi,That won't help in my situation.

NAR would restrict access to selected list of networking devices for users in that group. This won't prevent users is our AD authenticate to the networking device because we have unknown user policy enabled to pass the authentication to AD.

Thanks for your support

Community Member

Re: ACS server v3.2 group based access control

It sounds like you may need to structure ACS a little. So you want to create a group called "VPN-CLNT" and drop those users in for VPN access to a PIX? They way I didn mine is since a user can only be a member of one grp then for each department I have subgrps I create vpn groups for each dept for instance (HR:RMT) and tie these users to users that need to VPN and have Wireless. But then I have the base (HR) group with a "deny" any created as a placeholder for future use such as Clean Access Every organization has their own way of doing it. But anyway r.perera is right about using NAR. But you do have to enable NAR on all the other groups to deny or permit authentication to your NAS devices. That's why I'm recommending that it would be a good time to plan out your layout so appling NARS won't be so painful and confusing. Hopefully that helps.

114
Views
0
Helpful
3
Replies
CreatePlease to create content