3415 Cisco Secure ACS + REST Web Service

nksatish1 · ‎01-12-2015

Hi,

We have a cisco 3415 running ver 5.5 that is used ONLY for the user access into the Cisco devices on the network.

Number of devices on the network = 2800

NDG's = 25

Number of users = 300

Each user is unique and will be needing ANY combination of the above 25 NDG's. We also use the REST webservice to automate the user ID creation, read, update and delete the user ID on the ACS and its authorization to the NDG's.

As we cannot assign a user to multiple NDG's nor can we assign a user to multiple Identity groups..... Can someone please advise how we can get my users have access any combination NDG's while retaining the ability to use the REST API to automate the user create,delete and modify.

Appreciate your advise.

Thanks

Satish

Nathan Spitzer · ‎08-06-2015

This is old but I will answer it anyway in case anyone else stumbles upon it...

Using identity groups this is functionally impossible as far as I can figure. The only way to do this using only ACS is to create boolean User Attributes for each NDG and during user creation set each flag as appropriate. Then in the Access Service just check the status of the appropriate flag to allow/disallow access to a particular NDG.

You create custom user attributes by going to System Administration->Configuration->Dictionaries->Identity->Internal Users

That said I would STRONGLY urge you to consider setting up a simple LDAP directory or use an existing MS AD domain and use LDAP/AD groups. The way I showed may not be scalable enough and using a very simple LDAP database allows much greater freedom of movement later.