locked
How to filter IP in NPS(Radius Server) RRS feed

  • Question

  • hi

    i config AAA on cisco Devices(Router/Switch Layer2 &3) which connect to microsoft NPS(as Radius) for Authentication and Authorization..all work properly and fine!

    in NPS which use for Radius Server i create group for privilege Level

    so

    assume i have 10 Switches(SW-1  through SW-10)

    i have one special user in Active Directory e.g MR.X

    i want user:MR.X can only telnet to SW-4 & SW-5 and can't connect via telnet or ssh to others(others except SW-4 & SW-5)

    Note*:i should deny MR.X only with username because MR.X can changing IP address so i can't use access-list to deny for example X.Y.Z.W ip :(

    so what is best solution?

    1-is(are) there any USERBase Access-list on cisco IOS which define MR.X from AD server 2008 that prohibit(Deny) to coonect to Switches or Routers?

    --------------------------------------------------------------

    2-should i change something in GPO server ?are there any policy can define user MR.X can telnet only to speciall IP or...and deny other?

    ---------------------------------

    3-or is there way to prevent user from special IP(i knw there is IP filter but assume we have 100 Switches and more)

    so it takes too much time to add all of them

    thanks

    Friday, December 2, 2016 3:50 PM

All replies

  • Hi Klez,

    >>1-is(are) there any USERBase Access-list on cisco IOS which define MR.X from AD server 2008 that prohibit(Deny) to coonect to Switches or Routers?

    For this issue you could post it to Cisco forum to get effect support.

    >>2-should i change something in GPO server ?are there any policy can define user MR.X can telnet only to speciall IP or...and deny other?You could achieve the goal by hardware firewall.

    >>3-or is there way to prevent user from special IP(i knw there is IP filter but assume we have 100 Switches and more)

    As far as I know, NPS could not achieve the goal.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 5, 2016 6:50 AM