11-01-2011 06:28 AM - edited 03-10-2019 06:31 PM
Hi
I'm now in the tesing stages of our new Cisco ACS Appliance. I'm running version 5.2.0.26.6.
I have created some authorization policies to either allow admin access or read only access. This is based on what AD group you are in and also a device filter so I can allow specifc teams access to specific device types based on location.
I have created an access service for radius device administration.
I have also created a service selection policy which matches the protocol of radius, an NDG device type of NOT Cisco VPN and then added the service as my access service I created.
Within that access service I have created an identity to match protocol radius and identity source of AD.
I have then created an authorization to allow my team full access to our network devices. This is done using a device filter and an AD group which my team exist in. I have then added an authorization profile which allows full access based on radius attributes. This works ok and I can access our switches using my AD account and I get full access, which is what I want. I can also see the matches on the policies that I created.
I have then created a DE switch read access policy to only allow read only access to switches based on a specific location. I have created a device filter for this and added this to the authorization policy. I have then added the specific AD group and also a ready only authorization profile based on a read only radius attribute.
Now when I use the account I have set up within this group and I try and access a switch which is NOT in the german extreme filter it lets me access those devices and gives me read only access. To me it looks like its ignoring the device filter and just allowing read only access to all switches.
Has anyone seen this behaviour before? Is it a mis-configuration possibly somewhere within my configuration.
I can post screenshots if you require these to assist me further.
Regards
Jay
11-01-2011 10:07 AM
Hi
What I have done is to remove the device filter from that particular authorization policy. I then added an NDG:Device Type and NDG:Location as seperate conditions into the policy. I then tested access to a NON german device and it denied access. So it looks like its ignoring the device filter altogether.
I then decided to test access to a german switch using the AD user in the German group. I was able to get read only access but when I checked to see which policy it had matched it matched on a Juniper firewall read only policy, which is allowing access using a VSA of Netscreen. How was it able to use that policy and allow me read access to an Extreme networks switch? On the switch I see the following error, which idicates its seen a specfic VSA ID.
I can see the successful authentication in the ACS logs as shown. You can see its matched my Netscreen AP
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Radius-Device-Admin
Evaluating Identity Policy
15004 Matched rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Read-Only-Netscreen-AP
11002 Returned RADIUS Access-Accept
Has anyone come across this before and any ideas if anything I may have done wrong?
Cheers
Jay
11-03-2011 07:52 AM
Hi
I have been doing more testing and its definitely NOT picking up the device filters within the authorization policy.
I also moved one of the policies and its now using the Extreme-AP NOT the Netscreen-AP anymore. Still weird why it was able to login using that one.
Has anyone else had problems getting device filters to work?
Cheers
Jay
11-04-2011 05:40 AM
Hi
Still trying to get this working. What I have done as a test is to remove the device type from the filter and just leave the location filter. I then tested access to a device not in that location and it denied me access. I then added a device type of a firewall, just to see if it was matching the 2nd filter and it allowed me in. So its as though its not looking at the second filter I configure within the device filter. I have attached a screen shot of the filter. Does this look ok to you?
11-06-2011 12:38 AM
Want to clarify what you are trying to achieve
To clarify a device filter defines a list of conditions and only one of them need to match for the overall filter to match. If you want an AND combination then you need to define an authoization rule
11-07-2011 04:03 AM
Hi
Thanks for your reply.
What I thought I could use the device filters for was to create filters based on device type and location. I could then apply those to a authorisation policy. E.g
Cisco routers - location Germany
Extreme switches - location Italy
It looks like I have mis understood how device filters actually work. This wasn't very clear in the documentation.
So what you are saying is I would have to create 2 device filters, 1 for location and 1 for device type. Then create 2 auth rules the same but using the 1 device filter in 1 and the othe filter in the other.
Seems a bit of a long winded way to do it. I may as well stick to using the individual NDG conditions within each auth policy.
I have decided to not use device filters at this point. This may change when I propose this set up to our teams globally.
I have set up multiple access services based on device type. I have then created service selection policies to match on a specific device type and to forward those requests to the access service. Then I have created multiple authorization profiles within those access services to allow specifc access dependant on AD group and also using the device location and department NDG.
This means I can allocate read only access to all German switches to our German server team for example.
Not sure if how I have done it is the best way to do things. I have tested on a switch and it does seem to work how I want it.
Cheers
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide