Solved: Re: ACS 5.2 - Identity Group as Authorization Condition is not w

Michal Breskovec · ‎12-23-2010

Hello,

I trying use "Identity Groups" as "Compound Condition" in My "Access Policy" Authorization rule:.

Result is simple Radius Class attribute which should be passed to SSL VPN gateway (picture is modified to be smaller):

Every user in my Radius database has assigned any Identity Group which should identify him like member of some Business Unit (we are used it in this way with ACS 4.x - user database and Groups was migrated to ACS 5.2 from it).

Unfortunately these authorization rules are not working as expected. If I will for testing purposes bypass one rule with Operator "not in" instead of "in" this rule is used and matching Authorization Profile from Result is used.

So, it looks like Compound condition can't match itself with Identity Group correctly - Is it any known / unknown BUG or I am missed something in my configuration? I am a newbie to the ACS 5.2 so is possible that I am forgot something.

Thanks for any help with this strange issue.

jrabinow · ‎12-29-2010

Please confirm that the access service identity policy is using the internal data for authentication

In order to see the full details/steps for the request go to:

-Launch Monitoring & Report Viewer

- Select Authentications - RADIUS - Today

- When you see the record for your failing request press the icon under the heading details and you will see all the processing for the request

The Authentication Details is the most relevant section

View solution in original post

Eduardo Aliaga · ‎12-24-2010

Hi

You don't need to use any "Compound conditions". You need to use "Identity Group" condition. The next example show you how to enable the "Identitiy Group" condition.

After that, edit your rules, uncheck "Compound" condition, check "Identity group" and choose the value desired.

Michal Breskovec · ‎12-28-2010

Hello, Thank you for tip, this is little bit simplest way how to do it, but unfortunately situation is still the same - rule is still not working. It looks like another bug

Michal Breskovec · ‎12-28-2010

I am tried another thing. I am created new Dictionary entry (System Administration --> Configuration --> Dictionaries --> Identity --> Internal Users), type Enum with two items (ID=1, Value=Groups Operations; ID=2, Value=Telecom & Media), and in user profile choose "Group Operations" from new menu.

I am changed Authorization rules to match this new condition only, but still it is not working. Something is terribly wrong and I don't have any idea what I can try next

Eduardo Aliaga · ‎12-28-2010

Could you please post your new config with "Identity Groups". Also you can go to "Monitoring and Report" to see the logs and see what's ACS doing exactly when matching your rules.

Michal Breskovec · ‎12-29-2010

All pictures are modified to save space.

My testing user account:

Identity Groups:

Identity Attribute:

Authorization Policy - Test 1 - match Itentity Group:

Authorization Policy - Test 2 - match Identity Atribute:

Log mesage:

Unfortunately I can't find logs where is logged rules matching process - do you have any guide?

jrabinow · ‎12-29-2010