We currently have 2 x ACS4.x servers performing all AAA in our organisation. I have just received 2 x ACS 5.1 appliances which I would like to implement and for these to take over the running from the 4.1 boxes. As I am not 100% of the historical config (or mis-config) of the 4.x boxes I wanted to set the 5.1 boxes up from scatch.
So the 5.1 boxes are licenced, have been added to the AD Domain and have 1 test device (an ASA) configured to use them. I have already been able to get a successul login to the ASA but here comes the crunch - Anyone with an AD account can log in.
Before I get a load of 'RTFM' response, I have read the manual, all 680 odd pages, once through. I am struggling a little with the new terminology as I have used 4.x for so long it is all a little different. I know 4.x has short falls and I think 5.1 addresses these but I am struggling with the basics.
So from the section where I have connected to the AD domain I have pulled out a couple of AD groups I want to use when creating rules for access. These are listed in the AD groups section.
The problem is when I create the service policy either simple or rule based, I cannot seem to be able to choose an AD group in order to limit authentication to just this group.
I am sure I am missing something fundamental and ask for a gental prod in the right direction.
You need to create conditions in the authoirzation policy that use these groups similar to the following to allow users in group "abc" acess to the system:
1) Add a column for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK
2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule
3) On main policy page check the box next to default and press "Edit". Select the "Deny Access" profile as default rule result
Press "Save Changes" to save the new policy.
Now all users that are in group "abc" will be permitted access and all other users denied
Note there are two possible operators used for operations on external groups that have significance when match on multiple groups:
Contains ANY: Any one of the listed groups must match for rule to be matched
Contains ALL: All of the listed groups must match for the rule to be matched
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :