Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
- Requested Identity Group exist
- Testing user is created in Internal Users and has assigned requested Identity Group
- Radius Access Policy:
- Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
- Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
- Remove testing user and create his account again.
- Rename Identity Group
- Use another Identity Group
- Remove Access Policy rule and create it again
- Use Compound Condition: System:Identity Group
- Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?