Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACE with ACS5.0

Guys,

Is there a way that I can configure authentication using ACS 5.0 to access a certain server farm group only for a specific user?

Sent from Cisco Technical Support iPad App

2 ACCEPTED SOLUTIONS

Accepted Solutions

Cisco ACE with ACS5.0

Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.

Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

Re: Cisco ACE with ACS5.0

To match against an AD attribute, firstly you would need to configure ACS to see your windows domain as a valid External Identity store then your authorization policy would need to make use of what ACS calls 'Group Mappings'.

This is where you tell ACS what attribute to look for in AD and what the resultant internal ID group is.  This internal ID group is then used in your authorization policy

If you need any more information, take a look at the ACS guides or ask the experts over in the Security/AAA section.

4 REPLIES

Cisco ACE with ACS5.0

Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.

Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

New Member

Re: Cisco ACE with ACS5.0

Thank you so much , but how can I match this with the group on the AD since I am using the external DB method not the internal?

Sent from Cisco Technical Support iPad App

Re: Cisco ACE with ACS5.0

To match against an AD attribute, firstly you would need to configure ACS to see your windows domain as a valid External Identity store then your authorization policy would need to make use of what ACS calls 'Group Mappings'.

This is where you tell ACS what attribute to look for in AD and what the resultant internal ID group is.  This internal ID group is then used in your authorization policy

If you need any more information, take a look at the ACS guides or ask the experts over in the Security/AAA section.

New Member

Re: Cisco ACE with ACS5.0

Thanks Mick, it is working like charm

344
Views
0
Helpful
4
Replies
CreatePlease login to create content