Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.1 Authorization Policy matching Identity Groups

Hi Has anyone managed to get an Auth Policy within an Access Service to match devices based on Identity Group Membership?

My Auth Rule looks like this but doesn't ever got hit???

Auth rule.JPG

5 REPLIES
Cisco Employee

Re: ACS 5.1 Authorization Policy matching Identity Groups

Hi,

When you say devices based on identity group membership, do you mean external groups because I could see that you have selected AD in your compound condition. Looks like you have added this attribute inside the Active directory > directory attributes.


If this is for ACS internal groups then we may try some more stuff


Regds,

JK


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
Community Member

Re: ACS 5.1 Authorization Policy matching Identity Groups

Hi JK,

This is using internal groups. The compound condition I'm using matches System:IdentityGroup in All Groups:IPPhones. Then the phone in question is a member of the ID group IPPhones. I've also tried setting the compound condition to Internal Users:UserIdentityGroup in All Groups:IPPhones but still to no avail.

Thanks

Rhodri

Cisco Employee

Re: ACS 5.1 Authorization Policy matching Identity Groups

Lets try this way. VPN is an internal group and firewall is an device here.

~BR Jatin Katyal **Do rate helpful posts**
Community Member

Re: ACS 5.1 Authorization Policy matching Identity Groups

I have almost the exact same matching policy and it works fine.

Does your authentication pass successfully? What does the AAA report tell you? Maybe it hits other rules first.

Thanks,

Tao

Community Member

Re: ACS 5.1 Authorization Policy matching Identity Groups

Hmmm all very strange. I configured this on an Eval copy of ACS. This morning the real box arrived so once installed I'll try this again and report the results back here.

Thanks gentlemen for your assistance

Rhodri

625
Views
0
Helpful
5
Replies
CreatePlease to create content