https://community.cisco.com/t5/network-access-control/how-to-best-switch-4-2-design-to-5-3-scaleable-model/m-p/2001710#M206171 <HTML><HEAD></HEAD><BODY><P>Drew,</P><P></P><P>ACS 5.3 will help you with you current situation. With ACS 4 there was the group mapping landscape in the way users were mapped and dropped in a bucket with those operations. ACS 5.x is a policy driven solution and can really does process policies based on the endpoint and can combine multiple policies in order to match a result.</P><P></P><P>Here is the basics of ACS 5 and the comparison of ACS 4 - </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html</A></P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 16 Aug 2012 03:19:56 GMT Tarik Admani 2012-08-16T03:19:56Z https://community.cisco.com/t5/network-access-control/how-to-best-switch-4-2-design-to-5-3-scaleable-model/m-p/2001709#M206163 <P>Hi All;</P><P></P><P>I am somewhat a Newbie with ACS, and am trying to document, resolve and understand a 4.2 implementation in preparation for an upgrade to current version.</P><P></P><P>In our system we might have 20 engineers, some of whom need access to some of 10 service groups, where a service group could be 3 servers in a cluster providing a network service like logging, SIEM, Configuration control, Key Management etc.</P><P>Engineer A might need access to Logging Servers and SIEMs</P><P>Engineer B might need access to SIEMS and Key Management servers</P><P>Engineer C might need access to Key Management Servers and Logging servers.</P><P>Because each engineer uses a single admin user object held in the local ACS internal database, I believe the engineer can be a member of only 1 ACS group.</P><P>And there is no easy way to create groups that match to all the different role combinations.</P><P>What was put in place with ACS 4.2 was:</P><P>Create a separate group for each engineer.</P><P>For each network service like Logging or SIEM, place all the logging servers in a separate dedicated NDG</P><P>Create a separate policy for access to logging servers</P><P>Then for each of the 4 out of our 20 engineers that need access to the logging servers, create 4 permit rules in the Logging NAP policy, a separate permit rule for each of the 4 engineers.</P><P>This is not a design to be overly proud of, and is not very scalable, but it works fine at our level.</P><P></P><P>I understand ACS 5.3 provides a more elegant and scalable solution. Can you please advise/provide links to clarify a preferred solution?</P><P></P><P>Thanks</P><P>Drew</P> Mon, 11 Mar 2019 02:25:55 GMT https://community.cisco.com/t5/network-access-control/how-to-best-switch-4-2-design-to-5-3-scaleable-model/m-p/2001709#M206163 drewgans 2019-03-11T02:25:55Z https://community.cisco.com/t5/network-access-control/how-to-best-switch-4-2-design-to-5-3-scaleable-model/m-p/2001710#M206171 <HTML><HEAD></HEAD><BODY><P>Drew,</P><P></P><P>ACS 5.3 will help you with you current situation. With ACS 4 there was the group mapping landscape in the way users were mapped and dropped in a bucket with those operations. ACS 5.x is a policy driven solution and can really does process policies based on the endpoint and can combine multiple policies in order to match a result.</P><P></P><P>Here is the basics of ACS 5 and the comparison of ACS 4 - </P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/policy_mod.html</A></P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 16 Aug 2012 03:19:56 GMT https://community.cisco.com/t5/network-access-control/how-to-best-switch-4-2-design-to-5-3-scaleable-model/m-p/2001710#M206171 Tarik Admani 2012-08-16T03:19:56Z