hello every one recently i have started using cisco ise as a tacacs server to grant device access using active directory credentionals witch works fine but i have found out the even if a user is in active directory and has not been assigned to the access group it still can login to routers and has read access but no write access, so how can i prevent anyone without the right group accessing network devices.
my router config :
aaa new-model aaa group server tacacs+ ISE server-private 10.1.1.114 key *** cache expiry 8760 cache authorization profile LOGIN-AD-CACHE cache authentication profile LOGIN-AD-CACHE aaa authentication login LOGIN group ISE cache ISE local aaa authentication login CONSOLE local aaa authorization config-commands aaa authorization exec AUTH_EXEC group ISE cache ISE local if-authenticated aaa authorization commands 0 AUTHO-COMMAND group ISE local if-authenticated aaa authorization commands 15 AUTHO-COMMAND group ISE local if-authenticated aaa cache profile LOGIN-AD-CACHE all
No comments:
Post a Comment