Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2546
Views
20
Helpful
17
Replies

ACS v5.5 authorization rules 320 limit

rfitheridge
Level 1
Level 1

‎12-08-2014 07:28 AM - edited ‎03-10-2019 10:15 PM

I am about embark on a large service provider ACS migration / installation and I suspect I am going to need more than 320 authorization rules, which is the limit stated in ACS v5.5 release notes.

Is the limit for the maximum number of rules for an Access Service, or for the ACS totally?

 

1 person had this problem
Labels:
0 Helpful
17 Replies 17

rfitheridge
Level 1
Level 1
In response to sekhabbaz

‎10-02-2015 11:28 AM

Impressive is 2000 NDGs and over 600 NDGs in one Device Filter.

I agree the window is too small, and will not scroll left or right (@cisco please fix it)

Yes I have had no issues in editing anywhere in the list - top, bottom, middle; except when the names are similar, and it can be difficult to select the correct entry, as above not able to scroll horizontally, no stability issues with this.  ACSv5.6 patch 2

The good thing about using the compound conditions is everything is visible in the access policy, if using Device Filters it kinda of hidden, but sometimes there's no choice.

I have not noticed any additional delay on rules at the bottom of the access policy, which is probably the best indicator.

0 Helpful

cmaitland
Level 1
Level 1
In response to rfitheridge

‎10-02-2015 12:36 PM

We ended up solving our issue by adding an attribute for each customer account in our LDAP that matched the NDG name.  Meaning there's an NDG (Network Devices and AAA Clients rule) called custX and a field in LDAP for customercode which is set for custX.  Another customer account has customer custY in LDAP for "customercode" and NDG custY in the ACS.  We then have a compound condition (dynamic) rule that says if LDAP customercode = NDG name then.

Example:

LDAP-ldap_name:customercode equals System:NetworkDeviceName

We also combined that with an access level since we have multiple access levels per customer.

This saved us a ton of complex rules and makes provisioning accounts really easy.  Not sure if you use LDAP/AD for your user store, but since we did this makes things much easier.

0 Helpful

rfitheridge
Level 1
Level 1
In response to cmaitland

‎10-03-2015 08:41 AM

I like the idea of using LDAP, it at least removes the hassle of modifying ACS, and like you say if its already there.

In our case the service provider wanted like for like, in an upgrade from ACSv4.2.1, no LDAP, no AD, there is RSA SecurID external auth but that does not assist.

I did try to add an additional user attribute with the value of the NDG name, but it would not allow me to create the dynamic rule, if I recall the correctly, it would not allow multiple hierarchies to be used.

 

0 Helpful
Customers Also Viewed These Support Documents