cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

791
Views
0
Helpful
4
Replies
Marlon Malinao
Beginner

ACS 5.2 using AD to manage network device Admin policy creation

Hi All,

Need some light here, we managed to integrate our newly setup ACS 5.2 to our regional domain.  now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full  and read access respectively. 

i already have the default  identity policy and authorization policy with with command sets  fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that  each user falls under one of these groups will have a correct  read/write access.

regards,

marlon

1 ACCEPTED SOLUTION

Accepted Solutions
jrabinow
Rising star

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

View solution in original post

4 REPLIES 4
jrabinow
Rising star

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

View solution in original post

Hi Thanks it works,

One question, how can i prevent other  users from logging in to the network devices, now all AD users will be able to access our network device.

regarda,

Marlon

You have made these rules based membership of regionalops and regionaladm groups. However, you seem to be implying that not all members of these groups should in fact have access and there are some members of these groups that should not have access? If so is there any way to dentify those that should have access? is there some AD attribute or group that exists or can be arranged to be configured so that can have utilzie in the policy rules? That would be the cleanest approach.

If not, how many users are there that you want to allow access to?

Hi Jrabinow,

  Its working now i created a Deny Rule for those ordinary member of Domain Users.

Thanks for the support.

Content for Community-Ad