ACS 5.1 Authorization Policy matching Identity Groups

Unanswered Question
May 14th, 2010
User Badges:

Hi Has anyone managed to get an Auth Policy within an Access Service to match devices based on Identity Group Membership?

My Auth Rule looks like this but doesn't ever got hit???

Auth rule.JPG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Fri, 05/14/2010 - 15:43
User Badges:
  • Cisco Employee,


When you say devices based on identity group membership, do you mean external groups because I could see that you have selected AD in your compound condition. Looks like you have added this attribute inside the Active directory > directory attributes.

If this is for ACS internal groups then we may try some more stuff



Do rate helpful posts-

rhodrijenkins Mon, 05/17/2010 - 01:39
User Badges:

Hi JK,

This is using internal groups. The compound condition I'm using matches System:IdentityGroup in All Groups:IPPhones. Then the phone in question is a member of the ID group IPPhones. I've also tried setting the compound condition to Internal Users:UserIdentityGroup in All Groups:IPPhones but still to no avail.



Jatin Katyal Mon, 05/17/2010 - 05:05
User Badges:
  • Cisco Employee,

Lets try this way. VPN is an internal group and firewall is an device here.

jintao99 Mon, 05/17/2010 - 12:29
User Badges:

I have almost the exact same matching policy and it works fine.

Does your authentication pass successfully? What does the AAA report tell you? Maybe it hits other rules first.



rhodrijenkins Tue, 05/18/2010 - 07:40
User Badges:

Hmmm all very strange. I configured this on an Eval copy of ACS. This morning the real box arrived so once installed I'll try this again and report the results back here.

Thanks gentlemen for your assistance



This Discussion