Maybe i did not explain my scenario properly. I already have the Identity store Sequence configured. My dilemma is this, in the current ACS 4.x version, i have users defined manually on the ACS server. I have users who authenticate through AD, RSA and Internal. These users are added to local ACS groups on the ACS 4.x server. For example, i have user1 - login in AD, user2 - login thru RSA and user3 - login local on ACS. All three users are members of the local ACS group called Cisco. All three users access teh corporate network thru VPN. VPN termination point is ASA. On the ACS 4.x i use a class 25 attribute on the local Group "Cisco" to define the Group-Policy to be used by ASA on the user and thus any vpn-filters associated with the group-policy that will be applied to the users when they login "OU=Cisco". Now my question is as follows - How can i add these users, authenticating through the ID store Sequence i created to a local ACS 5.1 group? Users are authenticating fine. I need to be able to apply the different policies i am current influencing by the Class 25 attribute. Solution does not need to be the same but anything that will allow me to apply diffrent policies per user based or group based when they login through VPN. I need to limit the resources (based on ACL) they can access when logged in through VPN.

Thanks,

Qobi

If I were you I would try the following, for your internal users I would place them in a group on the ACS if you havent done so already. For you domain accounts you can create a directory group under the AD settings and use this in a authorization profile. For your RSA users are you using LDAP to pull specific attributes, or are you just letting them in if they pass authentication?

Next you will create an authorization profile under "Policy Elements" -> Network Access -> Authorization Profiles once you create the authorization profile go under Radius Attributes and this is where you will reference the IETF attribute 25 which is Class and set your value.

Then proceed to Access Policies -> Default Network Access (which comes out of the box or if you have created one then select that) Select Identity and create an identity rule, you should be able to reference your identity sequence here.

Then select authorization under the same access policy then you will select "Customize" on the bottom right, you can select specific identity groups and other conditions that you would like to match for authorization to succeed. Once you finish this then create the rule that you want to match and then select your authorization profile that you created in the previous steps.

Let me know if this helps,

Tarik Admani

What i eventually did for RSA and AD users was to create the user accounts locally and disable them. Under the Identity Store Sequence, i defined to authenticate RSA and AD. On the optional " Additional Attribute Retrieval Search List" i selected internal users. So basically the user is authenticated by RSA or AD and other attributes are obtained by searching for that username locally and thus the group membership is obtained. As indicated by Tarik i created the associated Authorization Profiles for each group.

Thanks all for your assistance.

Hello Hogogo,

When you create an access service, check the group mapping box:

and then under your access policies you can create rules to map users to local groups:

Hope this help.