Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.2 using AD to manage network device Admin policy creation

Hi All,

Need some light here, we managed to integrate our newly setup ACS 5.2 to our regional domain.  now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full  and read access respectively. 

i already have the default  identity policy and authorization policy with with command sets  fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that  each user falls under one of these groups will have a correct  read/write access.

regards,

marlon

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

ACS 5.2 using AD to manage network device Admin policy creation

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

4 REPLIES
Gold

ACS 5.2 using AD to manage network device Admin policy creation

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

Community Member

ACS 5.2 using AD to manage network device Admin policy creation

Hi Thanks it works,

One question, how can i prevent other  users from logging in to the network devices, now all AD users will be able to access our network device.

regarda,

Marlon

Gold

ACS 5.2 using AD to manage network device Admin policy creation

You have made these rules based membership of regionalops and regionaladm groups. However, you seem to be implying that not all members of these groups should in fact have access and there are some members of these groups that should not have access? If so is there any way to dentify those that should have access? is there some AD attribute or group that exists or can be arranged to be configured so that can have utilzie in the policy rules? That would be the cleanest approach.

If not, how many users are there that you want to allow access to?

Community Member

ACS 5.2 using AD to manage network device Admin policy creation

Hi Jrabinow,

  Its working now i created a Deny Rule for those ordinary member of Domain Users.

Thanks for the support.

621
Views
0
Helpful
4
Replies
CreatePlease to create content