cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

993
Views
0
Helpful
5
Replies
lpavon0312
Beginner

ACS 5.2 not matching authorization policies

I have a fairly simple lab environment with ACS 5.2, where I have 2 identity groups and 2 device types, where I want users in one identity group to be able to authenticate only on devices in the corresponding device type. I have my policies in place but the ACS is not matching any of them and goes to the default policy instead. Even going to the default policy, I set the action to DenyAccess, and yet it still allows access. Has anyone had something similar? 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jatin Katyal
Cisco Employee

If you're using Chrome as a browser to manage your ACS then here is a defect that matches your scenario. Lot of customer come across this issue last year. However in the latest codes of ACS this defect has been fixed.

CSCuo93378    Certain browsers cause ACS database corruption

Use supported browser and check whether all policies and its rules and conditions are displayed correctly and resubmit all of them. Restart ACS services to get the latest changes into effect. After that test again and it should work fine for you.

Let me know if you have any questions.

~ Jatin

~Jatin

View solution in original post

Awesome !!

For your second question ... Click on identity > select rule based result selection > click on customization (right bottom corner) > move the attribute on the right hand side you want to use in your condition ( device type for example) > click OK > Create a rule as per your requirement.

~ Jatin

~Jatin

View solution in original post

5 REPLIES 5
Jatin Katyal
Cisco Employee

If you're using Chrome as a browser to manage your ACS then here is a defect that matches your scenario. Lot of customer come across this issue last year. However in the latest codes of ACS this defect has been fixed.

CSCuo93378    Certain browsers cause ACS database corruption

Use supported browser and check whether all policies and its rules and conditions are displayed correctly and resubmit all of them. Restart ACS services to get the latest changes into effect. After that test again and it should work fine for you.

Let me know if you have any questions.

~ Jatin

~Jatin

View solution in original post

Thank you so much Jatin, you were right that was it. I just restarted de ACS server and it worked right up. Now, how do I reference an external identity source in one of this policies? For instance I want the users from active directory only authenticating with one device type? 

Awesome !!

For your second question ... Click on identity > select rule based result selection > click on customization (right bottom corner) > move the attribute on the right hand side you want to use in your condition ( device type for example) > click OK > Create a rule as per your requirement.

~ Jatin

~Jatin

View solution in original post

Hi! I have CSCuo93378 problem to, but after restarting ACS services in supported browsers all policies, conditions still not displaying. And in Access Plicies > Default Device Admin > Group Mapping > rule based result selection > customization (right bottom corner) > can't see any attribute and can't create any rule (and can't see old rules). Is any other ways to solve this problem? 

Hi,

Please check the browser version as well. Kindly check the release notes for the particular ACS version. For ACS 5.2, below are the supported browsers:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/release/notes/acs_52_rn.html

Regards,

Poonam Garg

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel