Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 5.1 internal users


I have an customer with an ACS config that has an identity store sequence to authenticate agains for tacacs.  First the internal database is checked for the user.  If they do not exist there they are checked against AD.

If the user is one of the 200+ they have migrated from an ACS 4 config into internal users they want to give them full enable access.  If the user is not in the internal database and needs verified via AD they only get priv 1 access.

Is there an easy way to create an Authorization rule in the default device admin service selection rule to do this. ?

I'm trying to test via a compound Condition.  The condition matches the Dictionary Internal Users group attribute with a value of All Groups.  I cannot connect to AD at the moment to test this as it's in a lab environment but I'm hoping that when this rule is checked then only users that are explicitly in the internal database via the All Groups condition will match.  If the user was matched via AD this rule won't match and the next one will come into effect which is a default rule to give priv 1 access.

Anyone have any thoughts on this method ?

Many thanks, Stephen.


Excuse my stupidity.  There is an Identity group condition in the Authorization rules page for this.  I don't need and compound condition.

My intention is to match on Any Group there and apply priv 15 access with a shell profile.

I will then leave the default rule to catch all others which go to AD for authentication.  I assume they will not match the Any Groups Identity Group so will use the default rule.  I'll then apply the appropriate shell profile to the default rule.

Thanks, Stephen.

Cisco Employee

Hi Stevie,

Yes, it should work as you are planning to and it is a clever was of achieving it.




If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.