cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1645
Views
0
Helpful
1
Replies

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.

ACS version: 5.3.0.40.6 (internal build B.839)

I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.

  • Requested Identity Group exist
  • Testing user is created in Internal Users and has assigned requested Identity Group
  • Radius Access Policy: 
    • Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
    • Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.

When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.

I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.

What I am tested:

  • Remove testing user and create his account again.
  • Rename Identity Group
  • Use another Identity Group
  • Remove Access Policy rule and create it again
  • Use Compound Condition: System:Identity Group
  • Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)

Do you have any idea where problem can be?

1 Reply 1

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.