Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
5
Helpful
3
Replies

ACS Identity Groups Configuration Question

rkallas
Level 1
Level 1

‎07-02-2014 12:22 PM - edited ‎03-10-2019 09:50 PM

Hi,

I'm configuring a new ACS5.4 appliance from scratch. My previous ACS was a 3.3 Windows system so we decided to redesign the configuration.  You can imagine that the new ACS is very different to me.

My question is what is the best approach to setting up Identity Groups and Access Groups for TACACS authentication/authorization for our network devices.  I'll be using Activey Directory as my external ID Store.

Here's my criteria:

- I need to have Full Access Admins and Read Only Admins for remote site support staff.

- These Admins are granted access to 3 different network layers either with Full Access or Read Only access.

- Our external AD groups are set up to match Full Access or Read Only for each network layer.

Here's an example of how the are , and Full Access Here is how our Network Access groups in AD are set up:

Access Groups:
Full Contol Admins
Read Only Admins

Network Layers Per Site:
Site1-Core
Site1-Distro
Site1-Access
------------
Site2-Core
Site2-Distro
Site2-Access


AD Groups Per Site:
Site1-Core-Full Control
Site1-Core-Read Only

Site1-Distro-Full Control
Site1-Distro-Read Only

Site1-Access-Full Control
Site1-Access-Read Only
-----------------------
Site2-Core-Full Control
Site2-Core-Read Only

Site2-Distro-Full Control
Site2-Distro-Read Only

Site2-Access-Full Control
Site2-Access-Read Only

From what I've read in the ACS 5.4 configuration documents, it seems more efficient to create Identity Groups specific to the Access types (Full Control or RO) instead of creating a whole bunch of Access Groups.  But at this point I'm bit uncertain about what approach I should take.  Any advise is greatly appreciated!

 

Ray

 

Labels:
0 Helpful
3 Replies 3

edwardcollins7
Level 1
Level 1

‎07-03-2014 12:33 PM

Ray,

Try to make this as simple as possible.

If you are using AD, forget the local identity groups, it will just complicate the setup.

I think you already have AD groups, so great.

When you define the devices on the ACS, use a new NDG for site and name them:

Site1-Core
Site1-Distro
Site1-Access
------------
Site2-Core
Site2-Distro
Site2-Access

Make each device part of the respective NDG.

In the Identity section of the access service on the ACS, point it to AD directly.

In the Authorization use the concept:

"If AD group is X and site is A" then "Full acces/ read only"

I know you are new to ACS 5 so if you have any questions, feel free to contact me.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

rkallas
Level 1
Level 1
In response to edwardcollins7

‎07-08-2014 11:25 AM

Thanks Ed!

I think you've confirmed what I was thinking; Identity groups in this case were just complicating the configuration.

I'm going to give this a try and let you know how it works.

 

Ray

0 Helpful

rkallas
Level 1
Level 1
In response to edwardcollins7

‎07-11-2014 04:05 PM

Hi Ed,

To recap your steps:

1. I already have AD groups

2. I defined the devices on the ACS, and have new NDGs by sites:

Site1-Core
Site1-Distro
Site1-Access

3. Each device part of the respective NDG (Router, Switch, FW, etc.)

4. In the Access Service section I have :

Access Policies/Access Services/TACACS Device Admin/Identity:
Rule-1 NDG device type=All / NDG Locations = All / Identity Source = AD1

5. In the Authorization section, I tried to set up as you suggested "If AD group is X and site is A" then "Full acces/ read only"
For Authorization though, I get choices for Identity Group, NDG:Location, NDG: Device Type, & Device Filter  and the Results Shell Profile.  There doesn't seem to be a selection that I can pick an AD Group from. 

Am I in the wrong section for this?  Or have I missed a step earlier on in the process?

Any advice is greatly appreciated!

Ray

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents