Security

I am trying to set up Tacacs Services that are authenticating against a  single LDAP source.  However, the users need access to different devices.  I can segregate the services by device group.  But I have not been able to determine how to restrict access to individual users or groups of users without putting in a restriction on the service itself (which I would prefer not to). 

 

How do you restrict a group of devices to a group of users?

You can try using a policy profiling certain users that you want to allow or restrict and then you can apply it to the service

I think I may have found the same thing after posting, but want to run it by you if you have a minute.

 

I went into the Enforcement Policy/Rules and set up the conditions to limit access to.  Here is what I did.

 

I created a rule that specifically allowed the user (or group) and set it to the correct Profile.  But in order to get another user to fail, I had to also then set up a rule that would match that user (or group) and set it to an incorrect profile.  If I omitted the second rule, they would authenticate anyway.  But by setting up the rule to pull up a profile that did not include the device, it matches the rule, then fails the device test.

 

Am I over complicating things?  Or is that what you had in mind?

 

Thanks for the quick response.

You are on the right track You might be missing just a couple of things , can you share a couple screenshots of your setup ?

I am attaching the summary from the service, and then the Enforcement profile page. 

 

For the configuration in question, DNEWSOME is the user's LDAP ID (EAD LDAP).  So that one is explicitly allowed, while the rest (anyone else in the EAD LDAP) are denied by the second rule.

 

We then authenticate against the local database (where we have the superusers - the ones that have access to everything).  The Local database also includes some of the individual campus folks (legacy that I hope to get rid of in the near future).  So the legacy users are denied, while the rest of the Local Database is allowed (the last line).

 

The "DenyProfile" is basically an empy profile that has no devices, so forcing the users to be put into that profile denies them access to the device.

 

Let me know if you need any other screen shots.

 

Can you please share the enforcement policy ?

Sorry for the delay in responding.  Got caught up with a radius issue.  Here is the enforcement policy.

The enforcement policy you shared is a RADIUS type , shouldn't it be a TACACS type ?

Oops!  Sorry.  Sometimes my multitasking gets confusing.

 

Do the following :

 

Create a Role mapping

 

- Create two rules:

1 - To allow the groups/containers that need to have access using an authorization that those groups/containers exist - Role name "Admins"

2 - To allow the type of devices that need to have access using the endpoint repository (Make sure that you add Endpoint Repository as an authentication source under the service) - Role name "Linux"

3 - Set it up to match all conditions

 

- Enforcement policy

 

--Make a copy of the Admin Network Login Policy remane it (with name you want to use) or Re-use the one you already have

1- Add tips and match role "Admins" and role "Linux" and apply it to the TACACS Super admin enforcement profile (Make sure it has the TACACs services you need in the profile)

 

Finally apply the Role Mapping and Enforcement to the service.

 

 

    

 

Got it!  Thanks.  I am in the process of cleaning it up, so will go with the role Mappings route.  Thanks for your help