Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.x Policy for Multiple NDG Combinations

Hi,

            I am trying to work out if there is a way to create policies for individual users on ACS 5.x

For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)

I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc

In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.

I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.

Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.

Cheers

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.x Policy for Multiple NDG Combinations

Hi Dave,

For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

4 REPLIES
Cisco Employee

Re: ACS 5.x Policy for Multiple NDG Combinations

Hi Dave,

You may try to configure a rule for each user on the authorization policy, specifying a compound condition.

E.g.: NDG:NDG1 or NDG:NDG2 or NDG:NDG3

You need to add the "compound condition" on the authz policy for your access service with the "customize" button.

Then, check this link for more details on how to configure the compound conditions:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html#wp1054918

I hope this helps.

Regards,

Federico

New Member

Re: ACS 5.x Policy for Multiple NDG Combinations

Thanks very much for the reply Frederico. I can now see how I can select different combinations NDGs using a compound condition with OR statements. What I do not get though is how I can select individual username as another condition in this policy.

In the compound policy I can select the Dictionary item of "Internal Users" as a condition but this only shows the user atributes not the username (see screenshot)

Basiically I want to be able to use the Username from a Internal Identity Store as a condition in a policy. Is this possible?

Cisco Employee

Re: ACS 5.x Policy for Multiple NDG Combinations

Hi Dave,

For this I would suggest to add a specific condition on the Authorization policy checking for the "System:UserName".

You can do so going back to "Customize" and adding the "System:UserName" condition to the "Selected:" list of conditions.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

New Member

Re: ACS 5.x Policy for Multiple NDG Combinations

Thanks Federico - I saw that option but thought it was for the System name - Should have tested it. Thank you very much.

821
Views
15
Helpful
4
Replies