I'm now in the tesing stages of our new Cisco ACS Appliance. I'm running version 18.104.22.168.6.
I have created some authorization policies to either allow admin access or read only access. This is based on what AD group you are in and also a device filter so I can allow specifc teams access to specific device types based on location.
I have created an access service for radius device administration.
I have also created a service selection policy which matches the protocol of radius, an NDG device type of NOT Cisco VPN and then added the service as my access service I created.
Within that access service I have created an identity to match protocol radius and identity source of AD.
I have then created an authorization to allow my team full access to our network devices. This is done using a device filter and an AD group which my team exist in. I have then added an authorization profile which allows full access based on radius attributes. This works ok and I can access our switches using my AD account and I get full access, which is what I want. I can also see the matches on the policies that I created.
I have then created a DE switch read access policy to only allow read only access to switches based on a specific location. I have created a device filter for this and added this to the authorization policy. I have then added the specific AD group and also a ready only authorization profile based on a read only radius attribute.
Now when I use the account I have set up within this group and I try and access a switch which is NOT in the german extreme filter it lets me access those devices and gives me read only access. To me it looks like its ignoring the device filter and just allowing read only access to all switches.
Has anyone seen this behaviour before? Is it a mis-configuration possibly somewhere within my configuration.
I can post screenshots if you require these to assist me further.
What I have done is to remove the device filter from that particular authorization policy. I then added an NDG:Device Type and NDG:Location as seperate conditions into the policy. I then tested access to a NON german device and it denied access. So it looks like its ignoring the device filter altogether.
I then decided to test access to a german switch using the AD user in the German group. I was able to get read only access but when I checked to see which policy it had matched it matched on a Juniper firewall read only policy, which is allowing access using a VSA of Netscreen. How was it able to use that policy and allow me read access to an Extreme networks switch? On the switch I see the following error, which idicates its seen a specfic VSA ID.
radDecodeVsa :Unknown vendor 3224 1
I can see the successful authentication in the ACS logs as shown. You can see its matched my Netscreen AP
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Radius-Device-Admin
Evaluating Identity Policy
15004 Matched rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
Still trying to get this working. What I have done as a test is to remove the device type from the filter and just leave the location filter. I then tested access to a device not in that location and it denied me access. I then added a device type of a firewall, just to see if it was matching the 2nd filter and it allowed me in. So its as though its not looking at the second filter I configure within the device filter. I have attached a screen shot of the filter. Does this look ok to you?
What I thought I could use the device filters for was to create filters based on device type and location. I could then apply those to a authorisation policy. E.g
Cisco routers - location Germany
Extreme switches - location Italy
It looks like I have mis understood how device filters actually work. This wasn't very clear in the documentation.
So what you are saying is I would have to create 2 device filters, 1 for location and 1 for device type. Then create 2 auth rules the same but using the 1 device filter in 1 and the othe filter in the other.
Seems a bit of a long winded way to do it. I may as well stick to using the individual NDG conditions within each auth policy.
I have decided to not use device filters at this point. This may change when I propose this set up to our teams globally.
I have set up multiple access services based on device type. I have then created service selection policies to match on a specific device type and to forward those requests to the access service. Then I have created multiple authorization profiles within those access services to allow specifc access dependant on AD group and also using the device location and department NDG.
This means I can allocate read only access to all German switches to our German server team for example.
Not sure if how I have done it is the best way to do things. I have tested on a switch and it does seem to work how I want it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :