https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543079#M259532 <HTML><HEAD></HEAD><BODY><P>Hi Stevie,</P><P></P><P>Yes, it should work as you are planning to and it is a clever was of achieving it.</P><P></P><P>BR,</P><P>Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Tue, 19 Oct 2010 09:22:07 GMT Tiago Antunes 2010-10-19T09:22:07Z https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543077#M259447 <P>Hi</P><P></P><P>I have an customer with an ACS config that has an identity store sequence to authenticate agains for tacacs.&nbsp; First the internal database is checked for the user.&nbsp; If they do not exist there they are checked against AD.</P><P></P><P>If the user is one of the 200+ they have migrated from an ACS 4 config into internal users they want to give them full enable access.&nbsp; If the user is not in the internal database and needs verified via AD they only get priv 1 access.</P><P></P><P>Is there an easy way to create an Authorization rule in the default device admin service selection rule to do this. ?</P><P></P><P>I'm trying to test via a compound Condition.&nbsp; The condition matches the Dictionary Internal Users group attribute with a value of All Groups.&nbsp; I cannot connect to AD at the moment to test this as it's in a lab environment but I'm hoping that when this rule is checked then only users that are explicitly in the internal database via the All Groups condition will match.&nbsp; If the user was matched via AD this rule won't match and the next one will come into effect which is a default rule to give priv 1 access.</P><P></P><P>Anyone have any thoughts on this method ?</P><P></P><P>Many thanks, Stephen.</P> Mon, 11 Mar 2019 00:30:24 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543077#M259447 StevieOliver_2 2019-03-11T00:30:24Z https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543078#M259470 <HTML><HEAD></HEAD><BODY><P>Excuse my stupidity.&nbsp; There is an Identity group condi<SPAN style="background-color: #f8fafd;">tion in the Authorization rules page for this.&nbsp; I don't need and compound condition.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">My intention is to match on Any Group there and apply priv 15 access with a shell profile.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I will then leave the default rule to catch all others which go to AD for authentication.&nbsp; I assume they will not match the Any Groups Identity Group so will use the default rule.&nbsp; I'll then apply the appropriate shell profile to the default rule.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Thanks, Stephen.</SPAN></P></BODY></HTML> Tue, 19 Oct 2010 09:11:13 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543078#M259470 StevieOliver_2 2010-10-19T09:11:13Z https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543079#M259532 <HTML><HEAD></HEAD><BODY><P>Hi Stevie,</P><P></P><P>Yes, it should work as you are planning to and it is a clever was of achieving it.</P><P></P><P>BR,</P><P>Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Tue, 19 Oct 2010 09:22:07 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-internal-users/m-p/1543079#M259532 Tiago Antunes 2010-10-19T09:22:07Z