ACS 5.1 Authorization Policy matching Identity Groups

rhodrijenkins · ‎05-14-2010

Hi Has anyone managed to get an Auth Policy within an Access Service to match devices based on Identity Group Membership?

My Auth Rule looks like this but doesn't ever got hit???

Jatin Katyal · ‎05-14-2010

Hi,

When you say devices based on identity group membership, do you mean external groups because I could see that you have selected AD in your compound condition. Looks like you have added this attribute inside the Active directory > directory attributes.

If this is for ACS internal groups then we may try some more stuff

Regds,

JK

Do rate helpful posts-

~Jatin

rhodrijenkins · ‎05-17-2010

Hi JK,

This is using internal groups. The compound condition I'm using matches System:IdentityGroup in All Groups:IPPhones. Then the phone in question is a member of the ID group IPPhones. I've also tried setting the compound condition to Internal Users:UserIdentityGroup in All Groups:IPPhones but still to no avail.

Thanks

Rhodri

Jatin Katyal · ‎05-17-2010

Lets try this way. VPN is an internal group and firewall is an device here.

~Jatin

jintao99 · ‎05-17-2010

I have almost the exact same matching policy and it works fine.

Does your authentication pass successfully? What does the AAA report tell you? Maybe it hits other rules first.

Thanks,

Tao

rhodrijenkins · ‎05-18-2010

Hmmm all very strange. I configured this on an Eval copy of ACS. This morning the real box arrived so once installed I'll try this again and report the results back here.

Thanks gentlemen for your assistance

Rhodri