cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1281
Views
15
Helpful
4
Replies

ACS 5.x Policy for Multiple NDG Combinations

rodmunch999
Level 1
Level 1

Hi,

            I am trying to work out if there is a way to create policies for individual users on ACS 5.x

For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)

I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc

In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.

I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.

Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.

Cheers

Dave

1 Accepted Solution

Accepted Solutions

Hi Dave,

For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

View solution in original post

4 Replies 4

Federico Lovison
Cisco Employee
Cisco Employee

Hi Dave,

You may try to configure a rule for each user on the authorization policy, specifying a compound condition.

E.g.: NDG:NDG1 or NDG:NDG2 or NDG:NDG3

You need to add the "compound condition" on the authz policy for your access service with the "customize" button.

Then, check this link for more details on how to configure the compound conditions:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html#wp1054918

I hope this helps.

Regards,

Federico

Thanks very much for the reply Frederico. I can now see how I can select different combinations NDGs using a compound condition with OR statements. What I do not get though is how I can select individual username as another condition in this policy.

In the compound policy I can select the Dictionary item of "Internal Users" as a condition but this only shows the user atributes not the username (see screenshot)

Basiically I want to be able to use the Username from a Internal Identity Store as a condition in a policy. Is this possible?

Hi Dave,

For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Thanks Federico - I saw that option but thought it was for the System name - Should have tested it. Thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: