04-10-2015 04:34 AM - edited 03-10-2019 10:37 PM
Hi to all,
I have a customer who has installed an ACS server. It is used for authenticate the users who wants to connect to the intranet, they are using anyconnect mobility client. The ACS looks for the users in the corporate AD, every authorization policy, is validating against an AD group (all are configured in the AD and the users works correctly).
The issue is the next, when one user is in two groups or more, the login is correct and the ASA is assigning correctly all the permissions when the user chooses the correct group. But in the ACS logs (Radius authentication details), when the same user tries to connect to different groups, the Authorization Profile which is appearing in the logs, is the same.
So I have some questions, which is the method for assign the authorization policy?? Are assigned from top to bottom?? So the authorization profile assigned is the first where the users have been encountered?? The authorization profile, which is appearing in the logs, is it assigned to the user really???
I'm not sure if I have explained the issue clearly, if you need some more information, please tell me and I will try to provide you more.
Thanks to all in advance.
Regards
David.
04-11-2015 08:22 PM
Hi David, the rules in ACS are processed in a top down fashion. As a result, you should your more specific rules towards the top. For instance, every user is part of "Domain-Users" AD group but only certain users are part of "Network-Admins." Thus, you should put the "Network-Admins" based rule above the one for "Domain-Users." Otherwise, the "Network-Admins" rule will never be hit.
I hope this helps!
Thank you for rating helpful posts!
04-12-2015 11:54 PM
Hi Neno,
Thanks for your reply!!
My customer have all the authorization system working properly and each users can connect without problems, so I have open this discussion because, in the logs, we can see an strange step in the authorization details.
One question more, if the authorization profile is the result of the authorization policy, if these authorization profiles are empty, nothing will be assigned to the client, right? In the authorization profile we only have set up the class attribute (All the permissions are assigned by the ASA correctly).
Thanks
Regards
David.
04-13-2015 12:32 AM
Hi,
for clarify, the authorization policy is configured as it's shown:
In the authorization details, we can see:
Is it a normal working way or something in the configuration is missing?
Thanks.
Regards
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide