ACS 5.x Policy for Multiple NDG Combinations

Answered Question
Sep 25th, 2010
User Badges:


Hi,

            I am trying to work out if there is a way to create policies for individual users on ACS 5.x


For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)


I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc


In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.


I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.


Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.


Cheers


Dave

Correct Answer by Federico Lovison about 6 years 7 months ago

Hi Dave,


For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.


I hope this answers your question.


Regards,

Federico


--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Federico Lovison Thu, 10/07/2010 - 13:17
User Badges:
  • Cisco Employee,

Hi Dave,


You may try to configure a rule for each user on the authorization policy, specifying a compound condition.

E.g.: NDG:NDG1 or NDG:NDG2 or NDG:NDG3


You need to add the "compound condition" on the authz policy for your access service with the "customize" button.

Then, check this link for more details on how to configure the compound conditions:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html#wp1054918


I hope this helps.


Regards,

Federico

rodmunch999 Tue, 10/12/2010 - 21:35
User Badges:

Thanks very much for the reply Frederico. I can now see how I can select different combinations NDGs using a compound condition with OR statements. What I do not get though is how I can select individual username as another condition in this policy.


In the compound policy I can select the Dictionary item of "Internal Users" as a condition but this only shows the user atributes not the username (see screenshot)


Basiically I want to be able to use the Username from a Internal Identity Store as a condition in a policy. Is this possible?

Correct Answer
Federico Lovison Wed, 10/13/2010 - 01:19
User Badges:
  • Cisco Employee,

Hi Dave,


For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.


I hope this answers your question.


Regards,

Federico


--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

rodmunch999 Wed, 10/13/2010 - 16:54
User Badges:

Thanks Federico - I saw that option but thought it was for the System name - Should have tested it. Thank you very much.

Actions

This Discussion