I am trying to work out if there is a way to create policies for individual users on ACS 5.x
For example I have an v5.2 ACS with an Internal Identity Store of 100 Users. There are 15 Network Device Groups configured at the same level (no sub levels)
I need to be able to assign individual users access to any combination of NDGs. So for example User1 would have access to devices in NDG 1, 5, 6 and 13. User2 access to NDG 5,7 and 9 etc
In a 4.x ACS I would create Groups that would define the privilege level and then on User-Level Network Access Restrictions I would select which NDGs could be permitted.
I am trying to get my head around how I can achieve the same in v5.x ACS. If there were only a few NDGs then I could create policies that would cover all possibilities but the permutations increase exponentially with the number of NDGs which makes this approach impractical.
Am I wrongly trying to apply 4.x logic to a 5.x solution? Any ideas would be greatly appreciated.
Thanks very much for the reply Frederico. I can now see how I can select different combinations NDGs using a compound condition with OR statements. What I do not get though is how I can select individual username as another condition in this policy.
In the compound policy I can select the Dictionary item of "Internal Users" as a condition but this only shows the user atributes not the username (see screenshot)
Basiically I want to be able to use the Username from a Internal Identity Store as a condition in a policy. Is this possible?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...