Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1353
Views
0
Helpful
5
Replies

ACS Policies

c-computershare
Level 1
Level 1

‎11-01-2011 06:28 AM - edited ‎03-10-2019 06:31 PM

Hi

I'm now in the tesing stages of our new Cisco ACS Appliance. I'm running version 5.2.0.26.6.

I have created some authorization policies to either allow admin access or read only access. This is based on what AD group you are in and also a device filter so I can allow specifc teams access to specific device types based on location.

I have created an access service for radius device administration.

I have also created a service selection policy which matches the protocol of radius, an NDG device type of NOT Cisco VPN and then added the service as my access service I created.

Within that access service I have created an identity to match protocol radius and identity source of AD.

I have then created an authorization to allow my team full access to our network devices. This is done using a device filter and an AD group which my team exist in. I have then added an authorization profile which allows full access based on radius attributes. This works ok and I can access our switches using my AD account and I get full access, which is what I want. I can also see the matches on the policies that I created.

I have then created a DE switch read access policy to only allow read only access to switches based on a specific location. I have created a device filter for this and added this to the authorization policy. I have then added the specific AD group and also a ready only authorization profile based on a read only radius attribute.

Now when I use the account I have set up within this group and I try and access a switch which is NOT in the german extreme filter it lets me access those devices and gives me read only access. To me it looks like its ignoring the device filter and just allowing read only access to all switches.

Has anyone seen this behaviour before? Is it a mis-configuration possibly somewhere within my configuration.

I can post screenshots if you require these to assist me further.

Regards

Jay

Labels:
0 Helpful
5 Replies 5

c-computershare
Level 1
Level 1

‎11-01-2011 10:07 AM

Hi

What I have done is to remove the device filter from that particular authorization policy. I then added an NDG:Device Type and NDG:Location as seperate conditions into the policy. I then tested access to a NON german device and it denied access. So it looks like its ignoring the device filter altogether.

I then decided to test access to a german switch using the AD user in the German group. I was able to get read only access but when I checked to see which policy it had matched it matched on a Juniper firewall read only policy, which is allowing access using a VSA of Netscreen. How was it able to use that policy and allow me read access to an Extreme networks switch? On the switch I see the following error, which idicates its seen a specfic VSA ID.

radDecodeVsa :Unknown vendor 3224 1

I can see the successful authentication in the ACS logs as shown. You can see its matched my Netscreen AP

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Radius-Device-Admin

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store - AD1

24430  Authenticating user against Active Directory

24416  User's Groups retrieval from Active Directory succeeded

24402  User authentication against Active Directory succeeded

22037  Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15004  Matched rule

15016  Selected Authorization Profile - Read-Only-Netscreen-AP

11002  Returned RADIUS Access-Accept

Has anyone come across this before and any ideas if anything I may have done wrong?

Cheers

Jay

0 Helpful

c-computershare
Level 1
Level 1
In response to c-computershare

‎11-03-2011 07:52 AM

Hi

I have been doing more testing and its definitely NOT picking up the device filters within the authorization policy.

I also moved one of the policies and its now using the Extreme-AP NOT the Netscreen-AP anymore. Still weird why it was able to login using that one.

Has anyone else had problems getting device filters to work?

Cheers

Jay

0 Helpful

c-computershare
Level 1
Level 1
In response to c-computershare

‎11-04-2011 05:40 AM

Hi

Still trying to get this working. What I have done as a test is to remove the device type from the filter and just leave the location filter. I then tested access to a device not in that location and it denied me access. I then added a device type of a firewall, just to see if it was matching the 2nd filter and it allowed me in. So its as though its not looking at the second filter I configure within the device filter. I have attached a screen shot of the filter. Does this look ok to you?

0 Helpful

jrabinow
Level 7
Level 7
In response to c-computershare

‎11-06-2011 12:38 AM

Want to clarify what you are trying to achieve

To clarify a device filter defines a list of conditions and only one of them need to match for the overall filter to match. If you want an AND combination then you need to define an authoization rule

0 Helpful

c-computershare
Level 1
Level 1
In response to jrabinow

‎11-07-2011 04:03 AM

Hi

Thanks for your reply.

What I thought  I could use the device filters for was to create filters based on  device type and location. I could then apply those to a authorisation  policy. E.g

Cisco routers - location Germany

Extreme switches - location Italy

It looks like I have mis understood how device filters actually work. This wasn't very clear in the documentation.

So what you are saying is I would have to create 2  device filters, 1 for location and 1 for device type. Then create 2 auth  rules the same but using the 1 device filter in 1 and the othe filter  in the other.

Seems a bit of a long winded way to do it. I may as well stick to using the individual NDG conditions within each auth policy.

I have decided to not use device filters at this point. This may change when I propose this set up to our teams globally.

I have set up multiple access services based on device type. I  have then created service selection policies to match on a specific  device type and to forward those requests to the access service. Then I  have created multiple authorization profiles within those access  services to allow specifc access dependant on AD group and also using  the device location and department NDG.

This means I can allocate read only access to all German switches to our German server team for example.

Not sure if how I have done it is the best way to do things. I have tested on a switch and it does seem to work how I want it.

Cheers

Jay

0 Helpful
Customers Also Viewed These Support Documents