ACS 5.1 Authorization Policy matching Identity Groups

Unanswered Question
May 14th, 2010
User Badges:

Hi Has anyone managed to get an Auth Policy within an Access Service to match devices based on Identity Group Membership?


My Auth Rule looks like this but doesn't ever got hit???



Auth rule.JPG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Fri, 05/14/2010 - 15:43
User Badges:
  • Cisco Employee,

Hi,


When you say devices based on identity group membership, do you mean external groups because I could see that you have selected AD in your compound condition. Looks like you have added this attribute inside the Active directory > directory attributes.


If this is for ACS internal groups then we may try some more stuff


Regds,

JK


Do rate helpful posts-

rhodrijenkins Mon, 05/17/2010 - 01:39
User Badges:

Hi JK,

This is using internal groups. The compound condition I'm using matches System:IdentityGroup in All Groups:IPPhones. Then the phone in question is a member of the ID group IPPhones. I've also tried setting the compound condition to Internal Users:UserIdentityGroup in All Groups:IPPhones but still to no avail.


Thanks

Rhodri

Jatin Katyal Mon, 05/17/2010 - 05:05
User Badges:
  • Cisco Employee,


Lets try this way. VPN is an internal group and firewall is an device here.

jintao99 Mon, 05/17/2010 - 12:29
User Badges:

I have almost the exact same matching policy and it works fine.

Does your authentication pass successfully? What does the AAA report tell you? Maybe it hits other rules first.


Thanks,

Tao

rhodrijenkins Tue, 05/18/2010 - 07:40
User Badges:

Hmmm all very strange. I configured this on an Eval copy of ACS. This morning the real box arrived so once installed I'll try this again and report the results back here.

Thanks gentlemen for your assistance

Rhodri

Actions

This Discussion