Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

10 devices on ACS, 20 users mapped from windows. How to specify access?

Unanswered Question
Jan 5th, 2009
User Badges:
  • Bronze, 100 points or more

I have 10 devices and I want the administrative access to be authenticated agaist an ACS.

There are 20 users who will be allowed to authenticate on them, but they must have different access like:

User A access -> 1,5,8,9

User B access -> 8,9,10

And so on.

I've tried to use NAR to say wich user have access to wich device, but this way I must create a windows group for each combination of user device access wich is extremaly huge for 10 devices.

I would need one group for who can access device 1,5,8. Other for 4,8,9 and so on. Besides that for each change I would need creating a new group.

The total number of combinations is more then 3,600,00 for 10 devices.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jhillend Mon, 01/05/2009 - 12:14
User Badges:
  • Bronze, 100 points or more

If you were to create a user group for each NAR combination you would need (2^10)-1 groups, or 1023 user groups. Still a big number and more than twice the number of available user groups in ACS. In this case you are better off configuring the NAR capability in each individual user configuration.

To explain the above number, the following list will explain:

devs | grps

3 7

4 15

5 31

For 3 devices, a, b and c, the combinations are: abc, ab, ac, bc, a, b, c (= 7)

For 5 devices, a, b, c, d and e, the combinations are: abcde, abcd, abce, abde, acde, bcde, abc, abd, abe, acd, ace, ade, bcd, bce, bde, cde, ab, ac, ad, ae, bc, bd, be, cd, ce, de, a, b, c, d and e (= 31)

and so on.

guibarati Mon, 01/05/2009 - 12:28
User Badges:
  • Bronze, 100 points or more

Ok, I had misused the 10! instead of 2^10-1, but that is not the point, the point is there would be necessary too many groups and you cach that.

So you sugested using user lever NAR, but can I use that for users in windows? Like mapping a individual windows user to an ACS user?

Or should I create local ACS database users to do that?

jhillend Mon, 01/05/2009 - 13:21
User Badges:
  • Bronze, 100 points or more

Ah, you didn't mention Windows. Well, if you only have 20 users, the most groups you would need are 20. Or, if you only have 20 users, I would suggest configuring the users directly on ACS and use Windows AD for authentication only. They keep their normal login, but you have control over them. I am assuming that these users are device administrators requiring access control to network devices through ACS.

guibarati Tue, 01/06/2009 - 02:25
User Badges:
  • Bronze, 100 points or more

Acctualy I mentioned on the title "mapped from windows" but I guess I should had said it in conversations body.

But my big problem is the growing number of users, so I would like a way to limit the access of users somehow that I don't need one group per access combination.


This Discussion