Cisco ACS - Limit Network Access Profiles to Active Directory UserGroup?

Discussion in 'Cisco' started by aLTeReGo, Mar 30, 2008.

  1. aLTeReGo

    aLTeReGo Guest

    I'm currently in the process of migrating from Microsoft IAS to Cisco
    ACS 4.2. I'm currently running an Eval of CSACS v4.2 for Windows in
    the Lab until I can work out the issues.

    So far I've been fairly successful getting user accounts authenticated
    with active directory credentials using the "Windows Database"
    external user database. The only problem I've run into is that I can't
    seem to figure out how to restrict access based on Active Directory
    group membership.

    For instance, in the lab I have a Cisco 3750 switch using RADIUS
    authentication tied back to the ACS server to control login access.
    But given my current ACS configuration everyone in the windows domain
    can login to the switch. How can I restrict that down to just a
    specific user group in Active Directory?
     
    aLTeReGo, Mar 30, 2008
    #1
    1. Advertisements

  2. aLTeReGo

    alibowl Guest

    I am also having the same issue? did you ever find a solution?

    Regards

    Ali
     
    alibowl, Apr 25, 2008
    #2
    1. Advertisements

  3. aLTeReGo

    Cen Guest

    You can do this via Unknown user group mappings.
    Assuming you've added Windows Database in your ACS in the unknown user
    policy, do the following:
    - go to external user databases, database group mappings
    - select windows database
    - select your domain. Add a mapping to map from AD group to ACS group,
    say "Group A"
    - Unmapped groups will by default be mapped to the ACS default group.
    - In the ACS default group, in group setup, edit the settings so that
    in the "Per Group Defined Network Access Restrictions" has the
    following setting:
    - denied calling/point of access locations - Add the appropriate AAA
    client to deny (in ths case your switch)
    - In the ACS "Group A" (mapped above), in group setup:
    - allowed calling/point of access locations - add the AAA client to
    allow
     
    Cen, May 9, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.