Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to best switch 4.2 design to 5.3 scaleable model

Hi All;

I am somewhat a Newbie with ACS, and am trying to document, resolve and understand a 4.2 implementation in preparation for an upgrade to current version.

In our system we might have 20 engineers, some of whom need access to some of 10 service groups, where a service group could be 3 servers in a cluster providing a network service like logging, SIEM, Configuration control, Key Management etc.

Engineer A might need access to Logging Servers and SIEMs

Engineer B might need access to SIEMS and Key Management servers

Engineer C might need access to Key Management Servers and Logging servers.

Because each engineer uses a single admin user object held in the local ACS internal database, I believe the engineer can be a member of only 1 ACS group.

And there is no easy way to create groups that match to all the different role combinations.

What was put in place with ACS 4.2 was:

Create a separate group for each engineer.

For each network service like Logging or SIEM, place all the logging servers in a separate dedicated NDG

Create a separate policy for access to logging servers

Then for each of the 4 out of our 20 engineers that need access to the logging servers, create 4 permit rules in the Logging NAP policy, a separate permit rule for each of the 4 engineers.

This is not a design to be overly proud of, and is not very scalable, but it works fine at our level.

I understand ACS 5.3 provides a more elegant and scalable solution. Can you please advise/provide links to clarify a preferred solution?

Thanks

Drew

Everyone's tags (2)
1 REPLY

How to best switch 4.2 design to 5.3 scaleable model

Drew,

ACS 5.3 will help you with you current situation. With ACS 4 there was the group mapping landscape in the way users were mapped and dropped in a bucket with those operations. ACS 5.x is a policy driven solution and can really does process policies based on the endpoint and can combine multiple policies in order to match a result.

Here is the basics of ACS 5 and the comparison of ACS 4 -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
255
Views
0
Helpful
1
Replies
CreatePlease to create content