Cisco ACS restrict a user to specific routers
Hello
We have ACS v3.2 in our network, I created a new user and added to a group, is it possible in this group to specify what routers / switches to the user is able to telnet, with some sort of ACL or something? I read something on:
Filter access network (NAF)
which is available in 4.0, should I upgrade to be able to do this?
I tried to put a group defined Network Access Restrictions, but this seems to be what network you are telenting from?
Sorry, please have patience, I'm new on ACS
Thank you!
Hello
I use ACS v4.2 so don't know if you'll get the same features, but you can select the NDG your routers reside in slot per group defined Network Access Restrictions > drop-down list AAA Client? If so simply select each NDG, you want this group to have access to the break-in * in the Port and * address. This will allow any IP address telnet/ssh power for devices in each NDG you enter.
If you wish you can control the IP addresses that access your routers by placing an access on each router list (stops messing around with that stuff, if you're not familiar with it).
I hope this helps...
Tony
Tags: Cisco Security
Similar Questions
-
Cisco ACS 4.1 - user profile changes
There is no option in Cisco ACS 4.1 Solution where we can specify the option that "user must change password on the next logon" as it used to be in Cisco ACS 3.X ".
Is it possible same functionality can be enabled on Cisco ACS 4.1
Concerning
Sohail Sarwar
Hello
That option does not exist in ACS 4.x.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Cisco ACS user password change?
Hi all
Even if I don't check "Change Enable by PEAP password" setting on Cisco ACS, when a user tries to log on to the wireless network, whose domain password is going to expire, receives a popup on Windows XP, saying that their password is about to expire?
Is this normal?
PS: Check the screenshot attached.
ACS is not able to send these messages for wireless users.
He sends the AD.
-
Access restriction configuration network devices with the level of the ACS 5.0 user
Hi Experts,
I have some configuration tasks TACAC with level of different user for all routers and switches,
To further develop, I engineer, analyst and site engineers, so I want to configure centralized authentication with Annie tacac different levels for the various categories of network engg. Analyst, site engineer,
can someone explain about how to proceed with ACS 5.2 and what configuration is required at the peripheral level.
I'm particularly looking for the 5.2 acs configuration procedure.
Looking forward to get the answer.
In "default device admin" just create authorization rules.
They should look like "If the user/group type = site engineer, then assign the shell profile X.
You then define the profile of shell in the elements of policy and put in there all the privileges of your engineer to site.
And so on for the other roles
-
Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions
Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.
I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.
When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).
Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.
Has anyone ever experience this problem? Help, please!
Thank you
neocec
This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.
Thank you
Tarik
-
Cisco ACS 4.2 a user in several local groups
Currently, I like this group map
ACS groups window
GRP of GRP-A-B-1 and PDM - 2
GRP - A. GRP - 1GRP - Grp-2 B
For example currently a user test1 is part of two groups 1 and 2 under windows and is mapped to the Grp-A-B of the CSA. Is it possible if I delete the mapping of Grp-A-B in ACS and can see the user test1 speratley in both groups (Grp - A and Grp - B) to GBA?
Salam Muhammad,
If you have a local user in ACS, this user cannot be a member of both groups at the same time.
The same concept applies to external users. They cannot be mapped to two different groups at the same time.
If you delete the configuration of Grp-A-B, the test1 user will be mapped to the first group in the list because ACS 4.2 process mapping group in the order:
' the snip "'
Order of group mapping
ACS always maps users to a single group of TISA. However, a user can belong to several groups the group mapping. For example, a user named John could be a member of the ensemble of the engineering group and California, and at the same time be a member of the combination of Group Engineering and management. If the value of group ACS mappings exist for these two combinations, ACS must determine what group John should be affected.
ACS prevents contradictory group set mappings by assigning an order of mapping for the whole group maps. When a user who is authenticated by an external user database is assigned to a group of ACS, ACS begins at the top of the list of groups for this database mappings. ACS sequentially checks group memberships of user in the database of the external user against each group mapping in the list. Where to find the first set group mapping corresponding memberships to external users in the user database, ACS assigns the user to the group this group map ACS and ends the process of mapping.
' the snip "'
Reference:http://goo.gl/cvc474
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
Restrict a user/group to allow access only to specific shared services groups
Hello team,
I have EMP 11.1.2.2. I created different groups) a ' Admin_groupA') b ' App_groupA' c) "App_groupB" under the native directory. I have configured Shared services-> administrator to this 'AdmingroupA '. Those who belong to this group "AdmingroupA" is able to add a new user to the directory of companies to provide access to the group 'App_groupA '. But I don't want the users of 'Admin_groupA' to access 'App_groupB '.
Since I put in service Shared services administrator privelge to this group of "AdmingroupA", "AdmingroupA" users are able to access "App_groupB" also. Can you please let me know how I can limit 'AdmingroupA' to provide access to users to the group "App_groupA".
Thank you for your valuable contributions.
You said, as you have configured administrator privileges of shared services to this 'AdmingroupA '. I don't think that you can restrict the user from this group to provide access to other users.
...
Did you hear about delegate user management? Managing Director can view and manage only those users and groups which they are responsible. Good read on the your hss version Administrator's guide and see if it helps!
See you soon
BP
-
How can I use Cisco ACS to save Shell commands
Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.
I have these lines on my router:
...
AAA authorization config-commands
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 default authenticated if
AAA authorization network default group Ganymede +.
...
It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?
*****************************************************
I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.
If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.
orders accounting AAA 15 by default start-stop Ganymede group.
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
Cisco ACS, multiple CA, assignment of VLAN relevant to the domain
Hi all
I searched for a solution to a specific customer requirement.
I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field? Ideally, using the same SSID and a Cisco ACS server.
Is this possible? Has anyone seen that it works?
I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?). And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes. But I am not sure that these parts would fit together?
Would appreciate some advice!
Thanks in advance
Rob
Hello
Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.
You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.
GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.
And you can assign the vlan and use only one ssid as well.
I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.
Nicolas
===
Remember responses of the rate that you find useful
-
Cisco ACS 5.2 and IOS XR
We deploy devices with IOS XR and I was wondering if anyone has experience their deployment with GANYMEDE authenticate on the Cisco ACS 5.x platform. If so, can you give some examples of how you have mapped the groups predefined by the user.
Thank you
Here's an example of how to do that crs to ensure share you the correct tasks under the profile of the shell.
Thank you
Tarik
-
Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone* Does the rate of useful messages *.
-
Problem with Cisco ACS and different areas
Hello
We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:
We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.
Then we have our Cisco switches with the following configuration,
AAA new-model
AAA-authentication failure message ^ CCCC
Failled to authenticate!
Please IT networks Contact Group for more information.
^ C
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization network default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.
There may be something wrong with the ACS?
Thank you
Jorge
Try increasing the timeout on IOS device using radius-server timeout 10.
Do we not have journaling enabled on the ACS server remotely?
-Philou
-
Cisco ACS SE GANYMEDE + accounting fails
Hello
I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
When I enable aaa accounting debugging, I get the following logs on the switch.
001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)
001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS
001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
'show running-config '.
" 001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list
001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)
001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS
001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
' configure terminal '.
" 001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list
001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)
001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS
001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.
Is there something that I am missing?
Thank you.
ESD
And what you get in the newspapers of Ganymede Administration?
Kind regards
Prem
-
RADIUS does not not on Cisco ACS SE v4.1 (1)
Hello
I have a CiscoSecure ACS version 4.1 (1) build 23.
I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.
I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.
Thanks for any help.
Jutta Kullmann
Jutta,
Good to know it works very well. Please mark this thread as solved so other can benefit from.
Kind regards
~ JG
Maybe you are looking for
-
How can I remove the firefox password reminder? It is very annoying!
I don't want firefox continues to ask me if I want to save a password. How can I disable this rather boring?Thank you.
-
Portege M750 WIFI disconnects all about 30 minutes on its own
Hello I recently bought a new M750 and made a clean installation of vista on the system. I downloaded all the drivers from the Toshiba support website and everything works fine. However, the WIFI connection drops every 30 minutes and takes about 2-3
-
Hey, in my attached program I check if the two steps of translation are in a specific position. If Yes, I want my code to execute a sequence of movements. If this isn't the case, I'm asking the user if he wants contributed from this position anyway.
-
HP pavilion dv7-6b55dx - line quarter inch Horizontal gray in the middle of the screen
Recently bought a HP pavilion dv7-6b55dx notebook from Best Buy. Recently, the screen started to have a quarter inch gray horizontal line in the middle of it. Gray line has more grey lines inside. 6 month warranty just expired. Y at - it 'easy' f
-
activate Windows does not work
When I try to open windows activate its tells me that windows do not have access to the file, you do not have the appropriate permissions to access the item what I'm soposse to do