Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
3
Replies

ACS 5.6 Authorization Profile issue.

David Babiano Rodriguez
Level 1
Level 1

‎04-10-2015 04:34 AM - edited ‎03-10-2019 10:37 PM

Hi to all,

I have a customer who has installed an ACS server. It is used for authenticate the users who wants to connect to the intranet, they are using anyconnect mobility client. The ACS looks for the users in the corporate AD, every authorization policy, is validating against an AD group (all are configured in the AD and the users works correctly).

The issue is the next, when one user is in two groups or more, the login is correct and the ASA is assigning correctly all the permissions when the user chooses the correct group. But in the ACS logs (Radius authentication details), when the same user tries to connect to different groups, the Authorization Profile which is appearing in the logs, is the same.

So I have some questions, which is the method for assign the authorization policy?? Are assigned from top to bottom?? So the authorization profile assigned is the first where the users have been encountered?? The authorization profile, which is appearing in the logs, is it assigned to the user really???

I'm not sure if I have explained the issue clearly, if you need some more information, please tell me and I will try to provide you more.

Thanks to all in advance.

Regards

David.

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎04-11-2015 08:22 PM

Hi David, the rules in ACS are processed in a top down fashion. As a result, you should your more specific rules towards the top. For instance, every user is part of "Domain-Users" AD group but only certain users are part of "Network-Admins." Thus, you should put the "Network-Admins" based rule above the one for "Domain-Users." Otherwise, the "Network-Admins" rule will never be hit. 

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

David Babiano Rodriguez
Level 1
Level 1
In response to nspasov

‎04-12-2015 11:54 PM

Hi Neno,

Thanks for your reply!!

My customer have all the authorization system working properly and each users can connect without problems, so I have open this discussion because, in the logs, we can see an strange step in the authorization details.

One question more, if the authorization profile is the result of the authorization policy, if these authorization profiles are empty, nothing will be assigned to the client, right? In the authorization profile we only have set up the class attribute (All the permissions are assigned by the ASA correctly).

Thanks

Regards

David.

0 Helpful

David Babiano Rodriguez
Level 1
Level 1

‎04-13-2015 12:32 AM

Hi,

for clarify, the authorization policy is configured as it's shown:

In the authorization details, we can see:

Is it a normal working way or something in the configuration is missing?

Thanks.

Regards

David.

 

0 Helpful
Customers Also Viewed These Support Documents