Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS v5 best practice w/ access policies.

Hello, I am in the process of deploying a ACS v5 appliance with 2 network devices talking through it to MS Active Directory via LDAP. It works great but I have a design question.

Our current access policy has one AD group match, one AD attribute match, and network device type is valid. If those 3 items match then permit access. Pretty simple. But my question is specific to the network device type. Is it best practice to have one large access policy with different network device types OR have one access policy per device type?

For example, lets say I have a 3000 series Concentrator and a 5500 series ASA and logging into the network via there devices I have the same IT support person and I am pulling the AD attribute msdialin=TRUE.

One Access Policy

1: IT Support memberOf=VPN User Allow Dial in=True Network Device=VPN 3000

2: IT Support memberOf=VPN User Allow Dial in=True Network Device=ASA 5500

Or have two Access Policies, one dedicated to each device type?

Access Services

>VPN 3000

>Authorization

1: IT Support memberOf=VPN User Allow Dial in=True

Access Services

>ASA 5500

>Authorization

1: IT Support memberOf=VPN User Allow Dial in=True

Just not sure which way to go. Any help is greatly appreciated.

e-

172
Views
0
Helpful
0
Replies
CreatePlease login to create content