RE: OT: ACS Group/filtering Question.

From: keith tokash (ktokash@hotmail.com)
Date: Thu Jan 03 2008 - 04:13:09 ARST

• Next message: Loc Pham: "gear up for the SP"
• Previous message: kelly@cliffhanger.com: "Re: Feedback for 'IEWB-RS-DYN-EL'"
• Maybe in reply to: Ken Young: "OT: ACS Group/filtering Question."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I had the same problem in our environment. I never figured out how to make
authentication fail on certain devices, so I used authorization to ban them
from doing anything at all. They can't even check the clock on a specific set
of devices.

Not too hard to do this.
1. Network Device Group with verboten devices
2. User Group with useless politicking consult^H^H^H^H^H^H unauthorized users
3. Authorization command set that does not allow any commands at all
4. Have authorization check level 0/1/15 commands, plus any other levels you
may have mapped commands to

Steps 1-3 done on ACS, step 4 done on router/switch.

Not the ideal solution, but acceptable in my circumstances so I stopped
looking. If you find the authentication answer let me know. :)

With a few exceptions, secrecy is deeply incompatible with democracy and with
science.
        --Carl Sagan

> Date: Thu, 3 Jan 2008 10:04:44 +0800
> From: ciscobee@gmail.com
> To: 1000baset@gmail.com
> Subject: Re: OT: ACS Group/filtering Question.
> CC: ccielab@groupstudy.com
>
> Have you take a look at ACS Device Group feature? You can group a
> collection of devices under a device group
> and associate it to user access rights.
>
>
http://www.cisco.com/en/US/products/ps8543/products_user_guide_chapter09186a0
0808b9918.html#wp1043117
>
> HTH
>
>
> On Jan 3, 2008 9:40 AM, Ken Young <1000baset@gmail.com> wrote:
> > Happy New Year everyone!
> >
> >
> >
> > I have an ACS question, I am relatively new with ACS and have a couple
of
> > questions:
> >
> >
> >
> > I am trying to configure a scenario such as this:
> >
> >
> >
> > Group10 Can authenticate to Switch1 and Switch2
> >
> > Group12 Can Authenticate to Switch1, 2, 3, 4
> >
> > Group 14 Can Authenticate to all Wireless APs. but not switches
> >
> >
> >
> > I have the switches configured so they are authenticating to the ACS
server
> > no problem like wise for my Wireless clients.
> >
> >
> >
> > The problem I am encountering is that it seems that if a user can
> > successfully authentication at all then can access all devices. I
have
> > looked into NARs as I thought that would provide the function that I am
> > looking for but so far no luck.
> >
> >
> >
> > The reverse seems very doable if a member of this group deny access.
Buy
> > I can't seem to figure out If a member of this group permit access. I
am
> > sure I am missing something very simple.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Loc Pham: "gear up for the SP"
• Previous message: kelly@cliffhanger.com: "Re: Feedback for 'IEWB-RS-DYN-EL'"
• Maybe in reply to: Ken Young: "OT: ACS Group/filtering Question."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:57 ARST