Bypass Default Network Access ACS 5.4

sebastian.stranieri · ‎12-10-2013

Hi everyone

I have and ACS 5.4 with 4 Network Access policies with 4 Access services rules:

A) Default Device Admin -> Rule 2 -> match Radius All Devices :Wireless:Wireless_WCS

B) Default Network Access -> Radius 3 -> Match Radius -> ANY

C) Wireless_WCS -> match Tacacs -> ANY

D) Test Policy -> Radius -> ANY

Now, I use Active Directory as Identity Source on the B) Network Access policy and in the Authorization section, I have create one authorization for each Active Directory Group.

Everything work fine at this point.

But When I create the D) Network Access Policy, with a new Active Directory Group and a differente Identity Source I cant use it to authenticate users. Each time I try to match that policy, each try goes to "Default Network Access".

Just to be clear, "Default Network Access" policy doesnt includes de Active Directory Group used on D) Test Policy.

on D) Test Policy I use a Radius Server to authenticate with the AD as the "Additional Attribute Retrieval Search List".

Resume: I need to different network access policy, to two Active Directory Groups, with two differents Identity Source.

Thanks in advanced,

S.

edwjames · ‎12-10-2013

Hi Sebastian,

Could you share the screeenshot of the "service selection rules"?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

sebastian.stranieri · ‎12-10-2013

Hi Ed! Thanks for the answer, here is the screen:

do you need more information?

S

edwjames · ‎12-10-2013

Hi Sebastian,

What does rule 3 and rule 22 point to as a result and do they have any other conditions other than protocol?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

sebastian.stranieri · ‎12-10-2013

When the rules matches vlan are assigned within each rule. More info?

edwjames · ‎12-10-2013

Sebastian,

Only the result of the service selection rules will help.

Here's my guess:

The two service selection rules are identitical in terms of the conditions used and the first one (rule 3 gets serviced) all the time. ACS works from top to bottom and it will match the first one that matches the criteria or conditions.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

sebastian.stranieri · ‎12-11-2013

Thanks again Ed, here you have the screenshots, you are right, the only difference are the "results" but! the Active Directory Group that matches on Test-VU and Default Network Access are not the same. Also the Identity Source from

Test-VU and Default Network are different too.

edwjames · ‎12-11-2013

Hi Sebastian,

I agree with you, there might be differences in idenity and authorization but if you dont split or differentiate the services in services selection rules, they won't be of any use, cause ACS does not come back to service selection rules once it passes it, the flow is as follows:

Service Selection rule-->Access service-->Identity-->Authorization.

ACS will not recheck the service selection rules to find the next service, if the idenity or authorization did not match.

One more thing, you cannot assign two different identity sources(results) based on two AD groups(conditions),.

the reason is, groups are idenitified after idenity is parsed, so as I said ACS does not go backwards.

You will have to find another condition to differentiate these requests.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

sebastian.stranieri · ‎12-11-2013

Thanks Ed, we encounter the way to match different groups using a few Radius Attributes, by now we need to strip the prefix/suffix of the user using a separator like "/" "@" "%" whatever we can use.