01-05-2009 05:00 AM - edited 03-10-2019 04:15 PM
I have 10 devices and I want the administrative access to be authenticated agaist an ACS.
There are 20 users who will be allowed to authenticate on them, but they must have different access like:
User A access -> 1,5,8,9
User B access -> 8,9,10
And so on.
I've tried to use NAR to say wich user have access to wich device, but this way I must create a windows group for each combination of user device access wich is extremaly huge for 10 devices.
I would need one group for who can access device 1,5,8. Other for 4,8,9 and so on. Besides that for each change I would need creating a new group.
The total number of combinations is more then 3,600,00 for 10 devices.
01-05-2009 12:14 PM
If you were to create a user group for each NAR combination you would need (2^10)-1 groups, or 1023 user groups. Still a big number and more than twice the number of available user groups in ACS. In this case you are better off configuring the NAR capability in each individual user configuration.
To explain the above number, the following list will explain:
devs | grps
3 7
4 15
5 31
For 3 devices, a, b and c, the combinations are: abc, ab, ac, bc, a, b, c (= 7)
For 5 devices, a, b, c, d and e, the combinations are: abcde, abcd, abce, abde, acde, bcde, abc, abd, abe, acd, ace, ade, bcd, bce, bde, cde, ab, ac, ad, ae, bc, bd, be, cd, ce, de, a, b, c, d and e (= 31)
and so on.
01-05-2009 12:28 PM
Ok, I had misused the 10! instead of 2^10-1, but that is not the point, the point is there would be necessary too many groups and you cach that.
So you sugested using user lever NAR, but can I use that for users in windows? Like mapping a individual windows user to an ACS user?
Or should I create local ACS database users to do that?
01-05-2009 01:21 PM
Ah, you didn't mention Windows. Well, if you only have 20 users, the most groups you would need are 20. Or, if you only have 20 users, I would suggest configuring the users directly on ACS and use Windows AD for authentication only. They keep their normal login, but you have control over them. I am assuming that these users are device administrators requiring access control to network devices through ACS.
01-06-2009 02:25 AM
Acctualy I mentioned on the title "mapped from windows" but I guess I should had said it in conversations body.
But my big problem is the growing number of users, so I would like a way to limit the access of users somehow that I don't need one group per access combination.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: