How to restrict access to particular NAC gateway/switches/End systems ?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
We have NMS installed in HQ and NAC Gateways across the network in different locations. There are some local administrators and we want them to have access to NAC Manager to see and manage local users(from local switches). Is there any possibility to differentiate NAC Administrators to have access only to particular switches and end users authenticated on that switches?
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,328 Points 50k badge 2x thumb
No, that isn't possible.

Netsight only allows to restrict admin-users to certain features of Netsight.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-setup-and-Use-Netsight-Authorizatio...

-Ron
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
That is something that we are already using. So there is no way to achieve goals that we need?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,328 Points 50k badge 2x thumb
No, I don't see any functions that restrict access to certain resources (switches, NAC,...).
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
I am sorry, but for sure this IS possible. It depends what you really need to do on the switches. You can create "Zones", that Zones you have to assign to end-system-groups and with the webview you can handle that each local admin is only able to see and manage the MAC addresses he should be able. We have done this concept with my biggest customer. But we did not give them access to the switches, they don't need this. You only have to create a end-system-group / rule you can put on specific ports when they have to install new (unknown) clients/mac addresses. With this they are able to see the new mac addresses and so they can move it to there own managed zones/ end-system-groups.

Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
We have also restricted the "oneView" settings for each user, these users are not able to login to the Netsight Server directly, the only have access via OneView. And there it is restricted what End-System-Groups they can see and manage.