topic Re: 10 devices on ACS, 20 users mapped from windows. How to spec in Network Access Control

10 devices on ACS, 20 users mapped from windows. How to specify access?

guibarati — Sun, 10 Mar 2019 23:15:49 GMT

I have 10 devices and I want the administrative access to be authenticated agaist an ACS.

There are 20 users who will be allowed to authenticate on them, but they must have different access like:

User A access -> 1,5,8,9

User B access -> 8,9,10

And so on.

I've tried to use NAR to say wich user have access to wich device, but this way I must create a windows group for each combination of user device access wich is extremaly huge for 10 devices.

I would need one group for who can access device 1,5,8. Other for 4,8,9 and so on. Besides that for each change I would need creating a new group.

The total number of combinations is more then 3,600,00 for 10 devices.

Re: 10 devices on ACS, 20 users mapped from windows. How to spec

jhillend — Mon, 05 Jan 2009 20:14:58 GMT

If you were to create a user group for each NAR combination you would need (2^10)-1 groups, or 1023 user groups. Still a big number and more than twice the number of available user groups in ACS. In this case you are better off configuring the NAR capability in each individual user configuration.

To explain the above number, the following list will explain:

devs | grps

3 7

4 15

5 31

For 3 devices, a, b and c, the combinations are: abc, ab, ac, bc, a, b, c (= 7)

For 5 devices, a, b, c, d and e, the combinations are: abcde, abcd, abce, abde, acde, bcde, abc, abd, abe, acd, ace, ade, bcd, bce, bde, cde, ab, ac, ad, ae, bc, bd, be, cd, ce, de, a, b, c, d and e (= 31)

and so on.

Re: 10 devices on ACS, 20 users mapped from windows. How to spec

guibarati — Mon, 05 Jan 2009 20:28:52 GMT

Ok, I had misused the 10! instead of 2^10-1, but that is not the point, the point is there would be necessary too many groups and you cach that.

So you sugested using user lever NAR, but can I use that for users in windows? Like mapping a individual windows user to an ACS user?

Or should I create local ACS database users to do that?

Re: 10 devices on ACS, 20 users mapped from windows. How to spec

jhillend — Mon, 05 Jan 2009 21:21:44 GMT

Ah, you didn't mention Windows. Well, if you only have 20 users, the most groups you would need are 20. Or, if you only have 20 users, I would suggest configuring the users directly on ACS and use Windows AD for authentication only. They keep their normal login, but you have control over them. I am assuming that these users are device administrators requiring access control to network devices through ACS.

Re: 10 devices on ACS, 20 users mapped from windows. How to spec

guibarati — Tue, 06 Jan 2009 10:25:36 GMT

Acctualy I mentioned on the title "mapped from windows" but I guess I should had said it in conversations body.

But my big problem is the growing number of users, so I would like a way to limit the access of users somehow that I don't need one group per access combination.