topic ACS Identity Groups Configuration Question in Network Access Control

ACS Identity Groups Configuration Question

rkallas — Mon, 11 Mar 2019 04:50:48 GMT

Hi,

I'm configuring a new ACS5.4 appliance from scratch. My previous ACS was a 3.3 Windows system so we decided to redesign the configuration. You can imagine that the new ACS is very different to me.

My question is what is the best approach to setting up Identity Groups and Access Groups for TACACS authentication/authorization for our network devices. I'll be using Activey Directory as my external ID Store.

Here's my criteria:

- I need to have Full Access Admins and Read Only Admins for remote site support staff.

- These Admins are granted access to 3 different network layers either with Full Access or Read Only access.

- Our external AD groups are set up to match Full Access or Read Only for each network layer.

Here's an example of how the are , and Full Access Here is how our Network Access groups in AD are set up:

Access Groups:
Full Contol Admins
Read Only Admins

Network Layers Per Site:
Site1-Core
Site1-Distro
Site1-Access
------------
Site2-Core
Site2-Distro
Site2-Access

AD Groups Per Site:
Site1-Core-Full Control
Site1-Core-Read Only

Site1-Distro-Full Control
Site1-Distro-Read Only

Site1-Access-Full Control
Site1-Access-Read Only
-----------------------
Site2-Core-Full Control
Site2-Core-Read Only

Site2-Distro-Full Control
Site2-Distro-Read Only

Site2-Access-Full Control
Site2-Access-Read Only

From what I've read in the ACS 5.4 configuration documents, it seems more efficient to create Identity Groups specific to the Access types (Full Control or RO) instead of creating a whole bunch of Access Groups. But at this point I'm bit uncertain about what approach I should take. Any advise is greatly appreciated!

Ray

Ray,Try to make this as

edwardcollins7 — Thu, 03 Jul 2014 19:33:43 GMT

Ray,

Try to make this as simple as possible.

If you are using AD, forget the local identity groups, it will just complicate the setup.

I think you already have AD groups, so great.

When you define the devices on the ACS, use a new NDG for site and name them:

Site1-Core
Site1-Distro
Site1-Access
------------
Site2-Core
Site2-Distro
Site2-Access

Make each device part of the respective NDG.

In the Identity section of the access service on the ACS, point it to AD directly.

In the Authorization use the concept:

"If AD group is X and site is A" then "Full acces/ read only"

I know you are new to ACS 5 so if you have any questions, feel free to contact me.

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

Thanks Ed!I think you've

rkallas — Tue, 08 Jul 2014 18:25:24 GMT

Thanks Ed!

I think you've confirmed what I was thinking; Identity groups in this case were just complicating the configuration.

I'm going to give this a try and let you know how it works.

Ray

Hi Ed,To recap your steps:1.

rkallas — Fri, 11 Jul 2014 23:05:23 GMT

Hi Ed,

To recap your steps:

1. I already have AD groups

2. I defined the devices on the ACS, and have new NDGs by sites:

Site1-Core
Site1-Distro
Site1-Access

3. Each device part of the respective NDG (Router, Switch, FW, etc.)

4. In the Access Service section I have :

Access Policies/Access Services/TACACS Device Admin/Identity:
Rule-1 NDG device type=All / NDG Locations = All / Identity Source = AD1

5. In the Authorization section, I tried to set up as you suggested "If AD group is X and site is A" then "Full acces/ read only"
For Authorization though, I get choices for Identity Group, NDG:Location, NDG: Device Type, & Device Filter and the Results Shell Profile. There doesn't seem to be a selection that I can pick an AD Group from.

Am I in the wrong section for this? Or have I missed a step earlier on in the process?

Any advice is greatly appreciated!

Ray