ACS 5.1 - user attributes

Unanswered Question
Aug 10th, 2010


I test ACS 5.1 and have some questions to be answered 

General concept suits me well (service policy, access policy and so on). Its very flexible but what Im looking for right now is the way to assign privilege-level attribute only to specific user. I've only managed to assign shell profiles to specific condition, but for me it doesn't make sense to create new rule per each user.

Is there a way to make it different? Similar to version 4.2 of ACS where user attributes overrided group attributes?

And the 2nd question:

what the Dictionaries (TACACS+, RADIUS) are for? they list only attrubutes (there are checkbox but for what purpose?). Where they can be used?

thx for explaination


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jrabinow Tue, 08/10/2010 - 03:30

Are you using the internal user database for your user definition. If so can assign privelege levels as follows:

- Create internal user attribute for "priv level"

- For each user enter the assigned priv level

- Creaate a shell profile for each of the priv levels you wish to assign

Create a rule in authoration for each priv level you wish to assign:

- if "user-attribute.priv-level" equals 1 then result "shell profile with priv level equals 1"

The RADIUS and TACACS+ dictionaries can be used in policy conditions and RADIUS attributes used in authoirzation profiles

Przemyslaw Konitz Tue, 08/10/2010 - 03:48

Thx for reply.

I tried that way and it works however it is not completely what I looking for. Why? Because it makes me to define too many rules in authorization section of Access Services.

In some way it is simple but...

The situation can get worse if other conditions are different and I need to distinguish them additionally by privil-level-condition.

I tried it that way:

I defined a mandatory user attibute (priv-lvl: unsigned integer 32) and assigned Policy Condition Dislpay Name (privil-level-condition).

I have 4 user class and more additional conditions in rule definition (identity group, location, device type, time&date ...)

if all other condtions are the same and only privil-level-condition is different new rules need to be created (which generally are the same) with different "shell profile" result.

Am I correct?

Is this the only way to do this?

Additional question:

how to combine it with IAS RADIUS server which can return AV-attribute (priv-lvl for example). Is this condition and new rule need to be done as well? with shell-provfile result? Doesit always need to be returend (privilege level attribute) as shell-profile result?



This Discussion

Related Content