Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3 Compound Condition AND

Hi All,

I am stuck a place where i need to select mulitple users from identity group and multiple devices from multiple ndg. situation become worst when i hv two different level of access for the users which are in same ad group but have different access to different ndg/devices. for example user 1 to user 5 of ad group1 have access to ndg1 to ndg5 but user6 to user10 from ad group1 shud not have access to these devices but they should be able to access ndg6 to ndg10. and user1 to user5 should not access these ndg5 to ndg10.

i tried to achieve this with compound condition in which i m adding NDG with or and in same compound condition i m adding users with and but problem is that all users1 to users10 have access to devices....which i dont want....

can any one help in this.

Cisco Employee

ACS 5.3 Compound Condition AND

It is hard to comment in detail in what you are trying to do or the  results that you are seeing since do not have sufficient details.

However, a couple of suggestions I can make

-  It looks like you have additional classifications on your users besides  what is defined in AD. One option would be to have these  classifications reflected in the AD group membership itelf. However, if  this is not possible (and I am guessing that it is not) then can in fact  use the internal user database to classify this information as follows

-  Create Internal attribute called "UserAccessGrp" at System  Administration > Configuration > Dictionaries > Identity >  Internal Users. For the purposes of this discussion can use an integer  type. Also define a "policy Conditrion Display Name" so that be referenced in the authorization policy

-  Create internal user records for users 1 to 5 and set the  "UserAccessGrp" to have a value 1. For users 6 to 10 set the  "UserAccessGrp" to have a value 2

- Create an identity sequence:Users and Identity Stores >  Identity Store Sequences. Select the "Password Based" option and Active  Directory database under "Authentication and Attribute Retrieval Search  List" and "Internal Users" under "Additional Attribute Retrieval Search  List". Once created select this identity sequence as the result of the  identity policy.

Once this is done you can now create compound conditions on the value of the "UserAccessGrp" of the "Internal Users' dictionary

Suggestion  is to similarly group devices into additional device groups. Can add a  new NDG hierarchy called "AccessGroup" (Network Resources > Network  Device Group) and then define logical group 1, logical group 2 etc

Then final can define the authorization policy using two conditions

- UserAccessGrp

- NDG:Logical Group

and define rules

UserAccessGrp = 1;NDG:Logical Group = 1 then Permit Access

UserAccessGrp = 2;NDG:Logical Group = 2 then Permit Access


Default rule: Deny Access

I  realize there are a lot of details here and not sure how much  experience you have with ACS5. However, hope it helps and can fit the  use case

CreatePlease login to create content