cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
0
Helpful
2
Replies

4.2 to 5.3 Migration - Policy grouping issue

simon-walker
Level 1
Level 1

Hi

I am looking for some advice to an issue I am experiencing with an ACS migration from 4.2 to 5.3. I have used the migration utility and transferred all the ID groups, Network devices incl their groups etc to 5.3 without any issues.

in 4.2 we heavily favoured permissions based on network device groups, in 5.3 as you may know this is not possible.

The issue I have is this:

The 3000 devices are split across 38 networks - Nothing can be done to change this due to the network device function.

Accessing these devices are 44 different User ID groups. All with varying levels of permissions to the networks they have access to.

I have tried to various methods to create new NDG's and ID Stores to group devices and/or Users to limit the number of Policy rules I will need but so far I have been unable to come up with a solution.

I could create a rule for situation, this however would result in a rule base of over 500 rules.

Why Cisco did not build ACS 5.X with the ability to allow several groups to connect to one NDG using one rule escapes me.

Any help advice would be greatly appreciated.

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

You should be able to use ndg with acs policies.

Are you trying to use AD groups or acs internal user groups.

Also have you tries upgrading to acs 5.4 latest patch or acs 5.5 to rule out the possibility of any bugs?

Sounds like you will need to rely on the compound condition configuration which requires you to use the customize button on the bottom right under the access policies section.


Sent from Cisco Technical Support Android App

The main issue I have is that I can only assign network group and one network device group to a rule. let me give you an example. I have one network device group, accessing that group I have 4 teams all with the same permissions, I cannot create one rule for this as I can only assign one user group to the policy rule. I could I guess create a new network group BUT there other network device groups that potentially three of these User groups dont have access to.

I have thought about building hierarchies of user groups and or network device groups but do not beleive this would work based on the many NDG access all the groups have access to.