I'm configuring a new ACS5.4 appliance from scratch. My previous ACS was a 3.3 Windows system so we decided to redesign the configuration. You can imagine that the new ACS is very different to me.
My question is what is the best approach to setting up Identity Groups and Access Groups for TACACS authentication/authorization for our network devices. I'll be using Activey Directory as my external ID Store.
Here's my criteria:
- I need to have Full Access Admins and Read Only Admins for remote site support staff.
- These Admins are granted access to 3 different network layers either with Full Access or Read Only access.
- Our external AD groups are set up to match Full Access or Read Only for each network layer.
Here's an example of how the are , and Full Access Here is how our Network Access groups in AD are set up:
Access Groups: Full Contol Admins Read Only Admins
AD Groups Per Site: Site1-Core-Full Control Site1-Core-Read Only
Site1-Distro-Full Control Site1-Distro-Read Only
Site1-Access-Full Control Site1-Access-Read Only ----------------------- Site2-Core-Full Control Site2-Core-Read Only
Site2-Distro-Full Control Site2-Distro-Read Only
Site2-Access-Full Control Site2-Access-Read Only
From what I've read in the ACS 5.4 configuration documents, it seems more efficient to create Identity Groups specific to the Access types (Full Control or RO) instead of creating a whole bunch of Access Groups. But at this point I'm bit uncertain about what approach I should take. Any advise is greatly appreciated!
5. In the Authorization section, I tried to set up as you suggested "If AD group is X and site is A" then "Full acces/ read only" For Authorization though, I get choices for Identity Group, NDG:Location, NDG: Device Type, & Device Filter and the Results Shell Profile. There doesn't seem to be a selection that I can pick an AD Group from.
Am I in the wrong section for this? Or have I missed a step earlier on in the process?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...