|
Posted by on July 25, 2007, 5:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Thanks to Dave and Doug for replying to my earlier post. I now have my
> 2600s authenticating to a Radius server.
>
> However, I have run into another issue I hope someone can help me with.
>
> On my Juniper SBR radius server, I have set up two active directory groups
> for domain authentication against the radius server. I have a Cisco VPN
> Client group, and a Cisco Router Admin group.
>
> Practically everyone in the company is in the Cisco VPN Client group.
> Conversely, only 5 of us are in the Cisco Router Admins group.
>
> When I remove Joe from the Cisco Router Admins group, he is still able to
> log on to our Cisco routers. I have confirmed that this is because he is
> still a member of the Cisco VPN Client group.
>
> More alarming, it appear that everyone in the Cisco VPN Client group is
> authorized to login to our routers.
>
> Is there a way to configure the radius server so that it knows which
> resources a group should have access to? I suppose my main concern is that
> anyone who is a member of any group on the radius server will have access to
> any of our devices that are authenticating against that server, regardless
> of type of device, job function, etc.
John
you have 3 choices:
1. use diff. radius servers/instances for vpn users and for admins
2. use single radius with configured Filter-Id, configure ACLs on the
2600
3. continue to use radius for vpn users and use tacacs for admins
regards
Roman Nakhmanson
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map