Hi there !
Im currently deploying Cisco ACS 5.4 on our netwrok and im looking into some extra measures to secure authentication and authorization to devices.
I would like to ask if anyone has tips on the following since i may have been confused myself for wanting to do it this way.
Ok users as of now are authenticated from an external identity store (Active Directory). I would liek to know if theres a way to also authenticate these users or authorize them from ACS so that when for example the IT Department adds a user that should not be in a group, but the group is authenticated for a set of devices, that user will nto be able to access the devices.
A more simple explanation is as follows.
Groups e.t.c are ficitonal
I have group in AD called "Engineers" containing 2 users, user A and user B.
Engineers have a shell profile on ACS that grants them Super-user permissions/privileges on devices.
However Active Directory is managed by the IT department which might be social engineered to add user C in this group.
What i need to find out is a way to only allow user A and user B to access the devices while maintaining the shell profile with the AD group "Engineers"
I am aware of compund conditions in authorization profiles/rules. Will that mean i will have to create local users as well and assign them their passwords as well?
Im a bit confused as you can see...
Any help will be greatly appreciated!!!
Since user C would be added to the same group that already contains users A and B, and the authorization rule is configured to grant the super-user access based on users A and B membership on group Engineering, then user C will also be granted that access.
ACS has no way of knowing what users are members of the Engineering group, nor can it detect that user C has been incorrectly added.
If you want to use AD credentials, and at the same time maintain a canonical list of users for ACS to check, you will need to create local users on ACS, as you suggested above.