Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Michal Breskovec

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.

ACS version: (internal build B.839)

I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.

  • Requested Identity Group exist
  • Testing user is created in Internal Users and has assigned requested Identity Group
  • Radius Access Policy: 
    • Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
    • Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.

When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.

I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.

What I am tested:

  • Remove testing user and create his account again.
  • Rename Identity Group
  • Use another Identity Group
  • Remove Access Policy rule and create it again
  • Use Compound Condition: System:Identity Group
  • Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)

Do you have any idea where problem can be?

Michal Breskovec

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

Content for Community-Ad