ACS 5.1 service selection rules

Unanswered Question
Jul 5th, 2010
User Badges:

Good morning,

I need to assign diferent authorization profiles to remote users based on their active directory group.

I have read that cannot use identity-based condition in a service selection rule.

Any idea how can achieve it if remote users auth request are coming from the same ASA and cannot differentiate by active directory they belong?

Thanks and best regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nickjacobs Thu, 07/08/2010 - 20:39
User Badges:

First define your External Identity Stores, Active Directory - Directory Groups for the relevant AD groups you want to classify people by, then under group mapping for the Access policy define rules matching the AD group to the identity group you want (defined under users and identity stores/ identity groups)

nickjacobs Thu, 07/08/2010 - 20:46
User Badges:

Sorry after reading your question a again - for authorization - same setup for AD group definition, but rules under the Access service policy, Authorization section with rules to match the AD group - with different auth policies tied to them

franpena2008 Fri, 07/09/2010 - 00:49
User Badges:

Good morning,

I have mapped Active directory groups, I have defined some authorization profiles access for different groups and location to send the ASA radius atributes (group policy atribute 55, and split-tunnel list)

The problem is how can I differentiate in the service selection rules which rule match a A.D group. In a service rule selection cannot use identity-based condition.

Best regards


nickjacobs Mon, 07/12/2010 - 16:10
User Badges:

Yep exactly - you cant use service selection - you have to use service selection to choose your VPN access service you created (as simple as "match radius from device type VPN Concentrators"

Then the policies under the VPN access service define the link between AD groups and auth profiles that you want

So under your VPN access service

- under identity you would choose your AD (single result selection)

- under group mapping you would have rules for each group you want to choose from based on AD of the form AD-AD1:ExternalGroups contains any with a resultant identity group that you have defined in ACS

- finally under authorization you would have rules for each group of the form AD-AD1:ExternalGroups contains any with a resultant authorisation profile you wish to have tied to that group.

Good luck. Main point- its not service selection you do this under, its the access service policy selected by the service selection - just have one for VPN and under it choose the group and auth profile.


This Discussion