06-27-2013 03:06 AM - edited 03-10-2019 08:35 PM
Hi
I looked for on internet and i could not find a awnser. Please help me to solve my issue.
.
Questions:
Creating more complex access services and policies, I mean in server selection rules have a several access policies. And each access policy has rules. Example: the first access policy for engineer groups. Second the access policy for sales groups. etс. After creating policies with the same devices and locations groups, the second access policy doesn’t work. I put logs.
Why is not ACCCESS POLICY showing a group of Sales? It seems selection policy rules are looking at the group of engineer. I maybe It will not work. Because using the same devices, locations and protocol TACACS+. Is it possible to solve issue only with protocol TACACS+?
| Received TACACS+ Authentication START  Request | 
| Evaluating Service Selection Policy | 
| Matched rule | 
| Selected Access Service - engineer | 
| Returned TACACS+ Authentication  Reply | 
| Received TACACS+ Authentication CONTINUE  Request | 
| Using previously selected Access  Service | 
| Evaluating Identity Policy | 
| Matched rule | 
| Selected Identity Store - Internal  Users | 
| Looking up User in Internal Users IDStore -  testsales | 
| Found User in Internal Users  IDStore | 
| TACACS+ will use the password prompt from global  TACACS+ configuration. | 
| Returned TACACS+ Authentication  Reply | 
| Received TACACS+ Authentication CONTINUE  Request | 
| Using previously selected Access  Service | 
| Evaluating Identity Policy | 
| Matched rule | 
| Selected Identity Store - Internal  Users | 
| Looking up User in Internal Users IDStore -  testsales | 
| Found User in Internal Users  IDStore | 
| Authentication Passed | 
| Evaluating Group Mapping Policy | 
| Evaluating Exception Authorization  Policy | 
| No rule was matched | 
| Evaluating Authorization Policy | 
| Matched Default Rule | 
| Selected Shell Profile is  DenyAccess | 
| Returned TACACS+ Authentication  Reply | 
| Additional Details | 
|---|
| Diagnostics ACS Configuration Changes | 
Solved! Go to Solution.
07-04-2013 09:49 PM
Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.
Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.
Please post your rules to see what are you trying to achieve.
07-04-2013 09:49 PM
Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.
Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.
Please post your rules to see what are you trying to achieve.
07-23-2013 06:46 AM
Thank you for explaining!
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide