https://community.cisco.com/t5/network-access-control/acs-5-3-authorization-problem-with-using-identity-groups-in/m-p/2032617#M147714 <P>Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.</P><P>ACS version: 5.3.0.40.6 (internal build B.839)</P><P>I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.</P><UL><LI>Requested Identity Group exist</LI><LI>Testing user is created in <STRONG>Internal Users</STRONG> and has assigned requested Identity Group</LI><LI>Radius Access Policy:&nbsp; <UL><LI><STRONG>Authentication</STRONG> against <STRONG>Identity Store Sequence</STRONG>, where authorization server is external RSA SecurID device and <STRONG><EM>additional attributes retrieval</EM></STRONG> is configured from <STRONG>Internal Users</STRONG>.</LI><LI><STRONG>Authorization</STRONG> is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then <STRONG>Default</STRONG> rule is set to Deny.</LI></UL></LI></UL><P>When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.</P><P>I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.</P><P>What I am tested:</P><UL><LI>Remove testing user and create his account again.</LI><LI>Rename Identity Group</LI><LI>Use another Identity Group</LI><LI>Remove Access Policy rule and create it again</LI><LI>Use Compound Condition: System:Identity Group</LI><LI>Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)</LI></UL><P>Do you have any idea where problem can be?</P> Tue, 26 Mar 2019 00:29:26 GMT Michal Breskovec 2019-03-26T00:29:26Z https://community.cisco.com/t5/network-access-control/acs-5-3-authorization-problem-with-using-identity-groups-in/m-p/2032617#M147714 <P>Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.</P><P>ACS version: 5.3.0.40.6 (internal build B.839)</P><P>I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.</P><UL><LI>Requested Identity Group exist</LI><LI>Testing user is created in <STRONG>Internal Users</STRONG> and has assigned requested Identity Group</LI><LI>Radius Access Policy:&nbsp; <UL><LI><STRONG>Authentication</STRONG> against <STRONG>Identity Store Sequence</STRONG>, where authorization server is external RSA SecurID device and <STRONG><EM>additional attributes retrieval</EM></STRONG> is configured from <STRONG>Internal Users</STRONG>.</LI><LI><STRONG>Authorization</STRONG> is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then <STRONG>Default</STRONG> rule is set to Deny.</LI></UL></LI></UL><P>When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.</P><P>I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.</P><P>What I am tested:</P><UL><LI>Remove testing user and create his account again.</LI><LI>Rename Identity Group</LI><LI>Use another Identity Group</LI><LI>Remove Access Policy rule and create it again</LI><LI>Use Compound Condition: System:Identity Group</LI><LI>Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)</LI></UL><P>Do you have any idea where problem can be?</P> Tue, 26 Mar 2019 00:29:26 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-authorization-problem-with-using-identity-groups-in/m-p/2032617#M147714 Michal Breskovec 2019-03-26T00:29:26Z https://community.cisco.com/t5/network-access-control/acs-5-3-authorization-problem-with-using-identity-groups-in/m-p/2032618#M147737 <HTML><HEAD></HEAD><BODY><P>OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.</P></BODY></HTML> Wed, 17 Oct 2012 09:04:16 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-authorization-problem-with-using-identity-groups-in/m-p/2032618#M147737 Michal Breskovec 2012-10-17T09:04:16Z