Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
0
Helpful
1
Replies

ACS 5.3 Compound Condition AND

jain.nitin
Level 3
Level 3

‎12-26-2011 09:09 PM - edited ‎03-10-2019 06:39 PM

Hi All,

I am stuck a place where i need to select mulitple users from identity group and multiple devices from multiple ndg. situation become worst when i hv two different level of access for the users which are in same ad group but have different access to different ndg/devices. for example user 1 to user 5 of ad group1 have access to ndg1 to ndg5 but user6 to user10 from ad group1 shud not have access to these devices but they should be able to access ndg6 to ndg10. and user1 to user5 should not access these ndg5 to ndg10.

i tried to achieve this with compound condition in which i m adding NDG with or and in same compound condition i m adding users with and but problem is that all users1 to users10 have access to devices....which i dont want....

can any one help in this.

Labels:
0 Helpful
1 Reply 1

jrabinow
Level 7
Level 7

‎12-26-2011 11:18 PM

It is hard to comment in detail in what you are trying to do or the  results that you are seeing since do not have sufficient details.

However, a couple of suggestions I can make

-  It looks like you have additional classifications on your users besides  what is defined in AD. One option would be to have these  classifications reflected in the AD group membership itelf. However, if  this is not possible (and I am guessing that it is not) then can in fact  use the internal user database to classify this information as follows

-  Create Internal attribute called "UserAccessGrp" at System  Administration > Configuration > Dictionaries > Identity >  Internal Users. For the purposes of this discussion can use an integer  type. Also define a "policy Conditrion Display Name" so that be referenced in the authorization policy

-  Create internal user records for users 1 to 5 and set the  "UserAccessGrp" to have a value 1. For users 6 to 10 set the  "UserAccessGrp" to have a value 2

- Create an identity sequence:Users and Identity Stores >  Identity Store Sequences. Select the "Password Based" option and Active  Directory database under "Authentication and Attribute Retrieval Search  List" and "Internal Users" under "Additional Attribute Retrieval Search  List". Once created select this identity sequence as the result of the  identity policy.

Once this is done you can now create compound conditions on the value of the "UserAccessGrp" of the "Internal Users' dictionary

Suggestion  is to similarly group devices into additional device groups. Can add a  new NDG hierarchy called "AccessGroup" (Network Resources > Network  Device Group) and then define logical group 1, logical group 2 etc

Then final can define the authorization policy using two conditions

- UserAccessGrp

- NDG:Logical Group

and define rules

UserAccessGrp = 1;NDG:Logical Group = 1 then Permit Access

UserAccessGrp = 2;NDG:Logical Group = 2 then Permit Access

etc

Default rule: Deny Access

I  realize there are a lot of details here and not sure how much  experience you have with ACS5. However, hope it helps and can fit the  use case

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents