Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
5
Helpful
3
Replies

ACS same username with two different group,two shell profiles

Go to solution
pemasirid
Level 1
Level 1

‎03-24-2013 01:03 PM - edited ‎03-10-2019 08:13 PM

Hi,

In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.

One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.

I'm not sure I'm missing something, if someone has done this or know how to do this please advise.

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-25-2013 12:30 AM

Hi,

What you can do is to create two authorization rules based on the device ip address.

Use two rules:

rule 1: if device ip address matches wcs ip address then use WCS-Shell-Profile

rul3 2: if device ip address does not match wcs ip address then use: Other-Shell-Profile

If you can not see the device ip address in the rule options, you can always customize what options you want to compare against from the customize button at the bottom right of the page.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-25-2013 12:30 AM

Hi,

What you can do is to create two authorization rules based on the device ip address.

Use two rules:

rule 1: if device ip address matches wcs ip address then use WCS-Shell-Profile

rul3 2: if device ip address does not match wcs ip address then use: Other-Shell-Profile

If you can not see the device ip address in the rule options, you can always customize what options you want to compare against from the customize button at the bottom right of the page.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
pemasirid
Level 1
Level 1

‎03-25-2013 11:49 PM

Hi Amjad,

Many thanks for your solution and it worked..!

However my worry is, how can it be useful when we have more than one WCS servers..?

Can we match a NDG putting WCS in a seperate groups?, or else to crease one more simillar rule and change the WCS IP  address.?

Regards,

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to pemasirid

‎03-26-2013 01:10 AM

Hi,

Glad to hear it works.

If you want to build the rule based on multiple devices, not a single IP address, what you can do is to compare the policy with a device filter.

Create a device filter that contains all the devices upon which you want to build the policy

(Policy elements -> Network condicitons -> Device filters) then in the rule rather than doing the comparison with a single ip you do it with a "device filter".

A device filter can be created based on multiple ip addresses, ip address range or even an existing NDG.

It is still valid option to create multiple rules each with one single IP. But if you have too many IP addresses it is more scalable to create a device filter and match the rule to that filter.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents