03-24-2013 01:03 PM - edited 03-10-2019 08:13 PM
Hi,
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.
One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
I'm not sure I'm missing something, if someone has done this or know how to do this please advise.
thanks
Solved! Go to Solution.
03-25-2013 12:30 AM
Hi,
What you can do is to create two authorization rules based on the device ip address.
Use two rules:
rule 1: if device ip address matches wcs ip address then use WCS-Shell-Profile
rul3 2: if device ip address does not match wcs ip address then use: Other-Shell-Profile
If you can not see the device ip address in the rule options, you can always customize what options you want to compare against from the customize button at the bottom right of the page.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
03-25-2013 12:30 AM
Hi,
What you can do is to create two authorization rules based on the device ip address.
Use two rules:
rule 1: if device ip address matches wcs ip address then use WCS-Shell-Profile
rul3 2: if device ip address does not match wcs ip address then use: Other-Shell-Profile
If you can not see the device ip address in the rule options, you can always customize what options you want to compare against from the customize button at the bottom right of the page.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
03-25-2013 11:49 PM
Hi Amjad,
Many thanks for your solution and it worked..!
However my worry is, how can it be useful when we have more than one WCS servers..?
Can we match a NDG putting WCS in a seperate groups?, or else to crease one more simillar rule and change the WCS IP address.?
Regards,
03-26-2013 01:10 AM
Hi,
Glad to hear it works.
If you want to build the rule based on multiple devices, not a single IP address, what you can do is to compare the policy with a device filter.
Create a device filter that contains all the devices upon which you want to build the policy
(Policy elements -> Network condicitons -> Device filters) then in the rule rather than doing the comparison with a single ip you do it with a "device filter".
A device filter can be created based on multiple ip addresses, ip address range or even an existing NDG.
It is still valid option to create multiple rules each with one single IP. But if you have too many IP addresses it is more scalable to create a device filter and match the rule to that filter.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide