Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
1
Replies

How to best switch 4.2 design to 5.3 scaleable model

drewgans
Level 1
Level 1

‎08-15-2012 04:54 PM - edited ‎03-10-2019 07:25 PM

Hi All;

I am somewhat a Newbie with ACS, and am trying to document, resolve and understand a 4.2 implementation in preparation for an upgrade to current version.

In our system we might have 20 engineers, some of whom need access to some of 10 service groups, where a service group could be 3 servers in a cluster providing a network service like logging, SIEM, Configuration control, Key Management etc.

Engineer A might need access to Logging Servers and SIEMs

Engineer B might need access to SIEMS and Key Management servers

Engineer C might need access to Key Management Servers and Logging servers.

Because each engineer uses a single admin user object held in the local ACS internal database, I believe the engineer can be a member of only 1 ACS group.

And there is no easy way to create groups that match to all the different role combinations.

What was put in place with ACS 4.2 was:

Create a separate group for each engineer.

For each network service like Logging or SIEM, place all the logging servers in a separate dedicated NDG

Create a separate policy for access to logging servers

Then for each of the 4 out of our 20 engineers that need access to the logging servers, create 4 permit rules in the Logging NAP policy, a separate permit rule for each of the 4 engineers.

This is not a design to be overly proud of, and is not very scalable, but it works fine at our level.

I understand ACS 5.3 provides a more elegant and scalable solution. Can you please advise/provide links to clarify a preferred solution?

Thanks

Drew

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎08-15-2012 08:19 PM

Drew,

ACS 5.3 will help you with you current situation. With ACS 4 there was the group mapping landscape in the way users were mapped and dropped in a bucket with those operations. ACS 5.x is a policy driven solution and can really does process policies based on the endpoint and can combine multiple policies in order to match a result.

Here is the basics of ACS 5 and the comparison of ACS 4 -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents