Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎01-29-2013

Tacacs Restrictions

I am trying to set up Tacacs Services that are authenticating against a  single LDAP source.  However, the users need access to different devices.  I can segregate the services by device group.  But I have not been able to determine how to restrict access to individual users or groups of users without putting in a restriction on the service itself (which I would prefer not to). 

 

How do you restrict a group of devices to a group of users?

MVP
Posts: 4,022
Registered: ‎07-20-2011

Re: Tacacs Restrictions

You can try using a policy profiling certain users that you want to allow or restrict and then you can apply it to the service
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎01-29-2013

Re: Tacacs Restrictions

I think I may have found the same thing after posting, but want to run it by you if you have a minute.

 

I went into the Enforcement Policy/Rules and set up the conditions to limit access to.  Here is what I did.

 

I created a rule that specifically allowed the user (or group) and set it to the correct Profile.  But in order to get another user to fail, I had to also then set up a rule that would match that user (or group) and set it to an incorrect profile.  If I omitted the second rule, they would authenticate anyway.  But by setting up the rule to pull up a profile that did not include the device, it matches the rule, then fails the device test.

 

Am I over complicating things?  Or is that what you had in mind?

 

Thanks for the quick response.

MVP
Posts: 4,022
Registered: ‎07-20-2011

Re: Tacacs Restrictions

You are on the right track You might be missing just a couple of things , can you share a couple screenshots of your setup ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎01-29-2013

Re: Tacacs Restrictions

I am attaching the summary from the service, and then the Enforcement profile page. 

 

For the configuration in question, DNEWSOME is the user's LDAP ID (EAD LDAP).  So that one is explicitly allowed, while the rest (anyone else in the EAD LDAP) are denied by the second rule.

 

We then authenticate against the local database (where we have the superusers - the ones that have access to everything).  The Local database also includes some of the individual campus folks (legacy that I hope to get rid of in the near future).  So the legacy users are denied, while the rest of the Local Database is allowed (the last line).

 

The "DenyProfile" is basically an empy profile that has no devices, so forcing the users to be put into that profile denies them access to the device.

 

Let me know if you need any other screen shots.

MVP
Posts: 4,022
Registered: ‎07-20-2011

Re: Tacacs Restrictions

 

Can you please share the enforcement policy ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎01-29-2013

Re: Tacacs Restrictions

Sorry for the delay in responding.  Got caught up with a radius issue.  Here is the enforcement policy.

MVP
Posts: 4,022
Registered: ‎07-20-2011

Re: Tacacs Restrictions

The enforcement policy you shared is a RADIUS type , shouldn't it be a TACACS type ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎01-29-2013

Re: Tacacs Restrictions

Oops!  Sorry.  Sometimes my multitasking gets confusing.

MVP
Posts: 4,022
Registered: ‎07-20-2011

Re: Tacacs Restrictions

 

Do the following :

 

Create a Role mapping

Role mapping.png

 

- Create two rules:

1 - To allow the groups/containers that need to have access using an authorization that those groups/containers exist - Role name "Admins"

2 - To allow the type of devices that need to have access using the endpoint repository (Make sure that you add Endpoint Repository as an authentication source under the service) - Role name "Linux"

3 - Set it up to match all conditions

 

- Enforcement policy

Enforcement policty.png

 

--Make a copy of the Admin Network Login Policy remane it (with name you want to use) or Re-use the one you already have

1- Add tips and match role "Admins" and role "Linux" and apply it to the TACACS Super admin enforcement profile (Make sure it has the TACACs services you need in the profile)

 

Finally apply the Role Mapping and Enforcement to the service.

 

 

    

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: