I have an customer with an ACS config that has an identity store sequence to authenticate agains for tacacs. First the internal database is checked for the user. If they do not exist there they are checked against AD.
If the user is one of the 200+ they have migrated from an ACS 4 config into internal users they want to give them full enable access. If the user is not in the internal database and needs verified via AD they only get priv 1 access.
Is there an easy way to create an Authorization rule in the default device admin service selection rule to do this. ?
I'm trying to test via a compound Condition. The condition matches the Dictionary Internal Users group attribute with a value of All Groups. I cannot connect to AD at the moment to test this as it's in a lab environment but I'm hoping that when this rule is checked then only users that are explicitly in the internal database via the All Groups condition will match. If the user was matched via AD this rule won't match and the next one will come into effect which is a default rule to give priv 1 access.
Excuse my stupidity. There is an Identity group condition in the Authorization rules page for this. I don't need and compound condition.
My intention is to match on Any Group there and apply priv 15 access with a shell profile.
I will then leave the default rule to catch all others which go to AD for authentication. I assume they will not match the Any Groups Identity Group so will use the default rule. I'll then apply the appropriate shell profile to the default rule.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...