Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
4
Replies

Cisco ACE with ACS5.0

Go to solution
helsayed78
Level 1
Level 1

‎03-22-2012 08:58 AM

Guys,

Is there a way that I can configure authentication using ACS 5.0 to access a certain server farm group only for a specific user?

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
michaellambert1980
Level 1
Level 1

‎03-23-2012 02:35 AM

Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.

Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

View solution in original post

0 Helpful

Go to solution
michaellambert1980
Level 1
Level 1
In response to helsayed78

‎03-26-2012 01:40 AM

To match against an AD attribute, firstly you would need to configure ACS to see your windows domain as a valid External Identity store then your authorization policy would need to make use of what ACS calls 'Group Mappings'.

This is where you tell ACS what attribute to look for in AD and what the resultant internal ID group is.  This internal ID group is then used in your authorization policy

If you need any more information, take a look at the ACS guides or ask the experts over in the Security/AAA section.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
michaellambert1980
Level 1
Level 1

‎03-23-2012 02:35 AM

Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.

Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

0 Helpful

Go to solution
helsayed78
Level 1
Level 1
In response to michaellambert1980

‎03-25-2012 07:16 AM

Thank you so much , but how can I match this with the group on the AD since I am using the external DB method not the internal?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
michaellambert1980
Level 1
Level 1
In response to helsayed78

‎03-26-2012 01:40 AM

To match against an AD attribute, firstly you would need to configure ACS to see your windows domain as a valid External Identity store then your authorization policy would need to make use of what ACS calls 'Group Mappings'.

This is where you tell ACS what attribute to look for in AD and what the resultant internal ID group is.  This internal ID group is then used in your authorization policy

If you need any more information, take a look at the ACS guides or ask the experts over in the Security/AAA section.

0 Helpful

Go to solution
helsayed78
Level 1
Level 1
In response to helsayed78

‎03-26-2012 08:33 AM

Thanks Mick, it is working like charm

0 Helpful
Customers Also Viewed These Support Documents