hi
i config AAA on cisco Devices(Router/Switch Layer2 &3) which connect to microsoft
NPS(as Radius) for Authentication and Authorization..all work properly and fine!
in NPS which use for Radius Server i create group for privilege Level
so
assume i have 10 Switches(SW-1 through SW-10)
i have one special user in Active Directory e.g MR.X
i want user:MR.X can only telnet to SW-4 & SW-5 and can't connect via telnet or ssh to others(others except SW-4 & SW-5)
Note*:i should deny MR.X only with username because MR.X can changing IP address so i can't use access-list to deny for example X.Y.Z.W ip :(
so what is best solution?
1-is(are) there any USERBase Access-list on cisco IOS which define MR.X from AD server 2008 that prohibit(Deny) to coonect to Switches or Routers?
--------------------------------------------------------------
2-should i change something in GPO server ?are there any policy can define user MR.X can telnet only to speciall IP or...and deny other?
---------------------------------
3-or is there way to prevent user from special IP(i knw there is IP filter but assume we have 100 Switches and more)
so it takes too much time to add all of them
thanks
