ACS v5 best practice w/ access policies.

Unanswered Question
Sep 22nd, 2009
User Badges:

Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.


Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?


For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.


One Access Policy

1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000

2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500


Or have two Access Policies, one dedicated to each device type?


Access Services

>VPN 3000

>Authorization

1: IT Support memberOf=VPN User Allow Dial in=True


Access Services

>ASA 5500

>Authorization

1: IT Support memberOf=VPN User Allow Dial in=True



Just not sure which way to go. Any help is greatly appreciated.

e-


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion