Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.5 Configuration Example? Multi-site Ideas...

Hi Folks,

Working on deploying ACS 5.5 in a multi-site (5+) environment.  With groups going away, what is the best way to allow location based access?.  So far, I have the following - but it seems way overcomplicated.

 

Each device is assigned a location in the NDG

User Attributes: Location Restriction (string)

Device Restrictions - Enumeration (e.g. Router: Read <or> Read/Write <or> No Access)

 

Access Service Selection - Each site has its own TACACS and RADIUS Access Service
(e.g. SITE_A-TACACS, SITE_A-RADIUS, SITE_B-TACACS....etc)
Matches are done on NDG Location and Protocol

Each SITE Access service (SITE_A-TACACS) has role based policies per device type. The following is an authorization policy for SITE_A Router Admin Access

Router Admin Policy

Check User Attribute: Device Restrictions: Enumeration Value: Router Admin

AND

- Check User Attributes: String: Location Restriction ( IF CONTAINS ) SITE_A
 OR

-Check User Attributes: String: Location Restriction ( IF CONTAINS ) None

Shell: Router Admin

Command Set:  Router Admin


It works great, however, that means the rules need to be duplicated if a new site is brought online.  Also, if a new device type is created, say, Firewalls, an additional user attribute would need to be created and all users updated.  Additionally, all sites in the service selection would need the appropriate device type added - SITE_A,B,C,etc would need a firewall authorization profile created.

 

Thanks for reading

2 REPLIES

Nathan, thanks for sharing

New Member

Hello, ACS is a policy base

Hello,

 

ACS is a policy base server and as every policy server you need to comply with a set of conditions to have a result.

 

The best way to do it is by having as condition NDG location + NDG Device Type + User AD or local group = xxxx permission.

 

Regards,

 

Erick Delgado

135
Views
0
Helpful
2
Replies
CreatePlease to create content