05-16-2016 08:52 AM - edited 03-10-2019 11:46 PM
Hello,
Here is my situation: I have a Lantronix device and two groups of users needing access using TACACs (ACS 5.6). I want to avoid putting all the users in one group because many of the users would then receive access to other, restricted devices.
Basically, I need to Group A access devices 1 - 10 but Group B only able to access device 1.
I've been reviewing authorization policies but I'm unclear on exactly where to go. Any help would be appreciate.
Thank you.
Daniel
Solved! Go to Solution.
05-19-2016 06:15 PM
I am not sure how much the Menus in ACS 5.6 have changed compare to ACS 5.4(we still have but started moving to ISE 2.0 for TACACS.) But I will throw my idea out anyway and hopefully give you some progress. I am not familiar with Lantronix devices but are they configurable with TACACS?
Here's how I will try to solve this in ACS 5.4. Make sure you also have approriate Shell Profile and Command Sets in the Authorization rules below.
1. Users and Identity Stores > Identity Groups > Create Group A and B > Save.
2. Users and Identity Stores > Internal Identity Stores > Users > Create the users > When creating the users, assign them to their respective Identity Group in Step 1(Group A and B) > Save.
3. Users and Identity Stores > Identity Store Sequences > Create Identity Store = Local for example > In Additional Attribute Retrieval Search List, select Internal Users > Save.
4. Policy Elements > Session Conditions > Network Conditions > Device Filters > Create Device Filter = Group A > Select IP Address tab then check mark Device IP > Add the ip address of the devices > Create Device Filter = Group B > Select IP Address tab then check mark Device IP > Add the ip address of the devices > Submit.
5. Access Policies > Access Services > Create the Access Service > Identity = Local in Step 3 > Authorization > Customize > Add Device Filter and Identity Group > Click OK > Create Authorization Rule 1> Select Device Filter = Group A > Select Identity Group = Identity Group A in Step 1 > Click OK > Create Authorization Rule 2 > Select Device Filter = Group B > Select Identity Group = Identity Group B in Step 1 > Click OK
HTH
***Please rate and mark the comment correct if you find it helpful. Thanks***
05-19-2016 06:15 PM
I am not sure how much the Menus in ACS 5.6 have changed compare to ACS 5.4(we still have but started moving to ISE 2.0 for TACACS.) But I will throw my idea out anyway and hopefully give you some progress. I am not familiar with Lantronix devices but are they configurable with TACACS?
Here's how I will try to solve this in ACS 5.4. Make sure you also have approriate Shell Profile and Command Sets in the Authorization rules below.
1. Users and Identity Stores > Identity Groups > Create Group A and B > Save.
2. Users and Identity Stores > Internal Identity Stores > Users > Create the users > When creating the users, assign them to their respective Identity Group in Step 1(Group A and B) > Save.
3. Users and Identity Stores > Identity Store Sequences > Create Identity Store = Local for example > In Additional Attribute Retrieval Search List, select Internal Users > Save.
4. Policy Elements > Session Conditions > Network Conditions > Device Filters > Create Device Filter = Group A > Select IP Address tab then check mark Device IP > Add the ip address of the devices > Create Device Filter = Group B > Select IP Address tab then check mark Device IP > Add the ip address of the devices > Submit.
5. Access Policies > Access Services > Create the Access Service > Identity = Local in Step 3 > Authorization > Customize > Add Device Filter and Identity Group > Click OK > Create Authorization Rule 1> Select Device Filter = Group A > Select Identity Group = Identity Group A in Step 1 > Click OK > Create Authorization Rule 2 > Select Device Filter = Group B > Select Identity Group = Identity Group B in Step 1 > Click OK
HTH
***Please rate and mark the comment correct if you find it helpful. Thanks***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide