Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 Access Policies problem

Looking for some help as I am new to this version of ACS.

Here is the scenario:

We have two device groups

  1. ASAs for VPN access
  2. Wireless Controllers

There are 2 AAA devices in each group.

We have 4 Identity Stores

  1. ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAs
  2. External Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.
  3. We have mapped AD groups - this is used for allowing access for wireless users.
  4. LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation.

Our requirements

  1. We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.
  2. We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.

Any assistance you could give me with this would be much appreciated. If further information is required then please let me know.

Regards,

TC

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

2 REPLIES
Cisco Employee

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

New Member

ACS 5.2 Acces Policies problem

Thanks a lot - that worked great - I hadnt noticed the sequence option for the identity stores!

Best regards,

Thomas.

763
Views
0
Helpful
2
Replies
CreatePlease login to create content