I am looking for some advice to an issue I am experiencing with an ACS migration from 4.2 to 5.3. I have used the migration utility and transferred all the ID groups, Network devices incl their groups etc to 5.3 without any issues.
in 4.2 we heavily favoured permissions based on network device groups, in 5.3 as you may know this is not possible.
The issue I have is this:
The 3000 devices are split across 38 networks - Nothing can be done to change this due to the network device function.
Accessing these devices are 44 different User ID groups. All with varying levels of permissions to the networks they have access to.
I have tried to various methods to create new NDG's and ID Stores to group devices and/or Users to limit the number of Policy rules I will need but so far I have been unable to come up with a solution.
I could create a rule for situation, this however would result in a rule base of over 500 rules.
Why Cisco did not build ACS 5.X with the ability to allow several groups to connect to one NDG using one rule escapes me.
The main issue I have is that I can only assign network group and one network device group to a rule. let me give you an example. I have one network device group, accessing that group I have 4 teams all with the same permissions, I cannot create one rule for this as I can only assign one user group to the policy rule. I could I guess create a new network group BUT there other network device groups that potentially three of these User groups dont have access to.
I have thought about building hierarchies of user groups and or network device groups but do not beleive this would work based on the many NDG access all the groups have access to.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...