Re: ACS 5.2 Access Pollicies

brock0150 · ‎11-06-2011

I seem to be having issues trying to use the same Policy on an internal group and a group within AD.

Under the Default Device Admin

-Identity - Setup a Tacacs rule for a group within AD (rule 1) and duplicated the rule for an internal group (rule 2).

-Authorization - Setup a rule that allows the internal group and the AD group to have Shell access privilege 15.

We have a group that uses AD and one that doesn't, they both need tacacs to the same devices.

When I try to use Tacacs, I can login with the AD account, but it won't accept my enable password. If I use the internal username, it doesn't work at all. If I make the internal Rule 1 and the AD Rule 2, then I can login with the internal (still won't accept my enable password)l, but not the AD account.

If I delete the rules for the the AD group, the internal group works just fine and I don't have to enter an enable password. And vice versa with having the AD group but not the internal. I've made sure that the accounts I'm using do not exist anywhere else.

What am I missing? It seems like it would be rather simple, but not sure what I might be over looking.

ACS 4.x would allow us to do this.

Thanks for your help and sorry if this comes across confusing.

Brock

brock0150 · ‎11-06-2011

Also, under the Identity rule, I never have any hit counts on rule 2. It seems that whenever I'm doing Tacacs it only hits rule 1 and never hits rule 2. Why would we be able to duplicate a rule if it won't work or if it won't check to see what group that user is in?

Edit...

Fixed my own problem. I changed the Identity from a rule based selection to a single selection and now have it pointed to a identity sequence store. Can't believe it was that simple and I missed that. I was about ready to pull my hair out.