Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
0
Helpful
4
Replies

Dynamic ACL for External Radius Accounts (ACS 5.3)

Go to solution
tobin_jim
Level 1
Level 1

‎02-07-2013 05:39 AM - edited ‎03-10-2019 08:04 PM

We have a Cisco ACS 5.2 server that queries another radius server for certain AnyConnect VPN connections. We already use dynamic access-lists for some users in the Interal Identity Users Store. We would like to tie in a dynamic access-list to users in the external database, based on the username passed back from the external radius server. We are running ACS 5.3.0.40. Is it possible to do this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to tobin_jim

‎02-07-2013 07:38 AM

[of running 5.3 and using AD then suggest to install latest 5.3 patch]

OK. Assume attribute is in AD and called DACL; then do the follwoing

1) Go to

Users and Identity Stores > External Identity Stores > Active Directory

and select "Directory Attributes" tab

2) Add the attribute called DACL and Save changes

3) Build the authorization profile that will return the DACL

go to

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create

in "Common Tasks" tab, select "Dynamic" option for Downloadable ACL Name

then select "AD-AD1" and the attribute selected in step 2

and press Submit

You know an authoirzation profile that will dynamically retrieve the attribute from AD and use as the name of the downloadable ACS

4) Select this authoirzation profile as result in authorization policy

eg:

Access Policies > Access Services > Default Network Access > Authorization

Should be good to go

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jrabinow
Level 7
Level 7

‎02-07-2013 06:21 AM

I think this can be done. need to have an attribute that is retrieved from the external store with the name of the DACL.

Then build an authorization profile that dynamically takes the name of the DACL from this retirved attribute

If this direction makes sense and you need info on netx level of detail let me know

0 Helpful

Go to solution
tobin_jim
Level 1
Level 1
In response to jrabinow

‎02-07-2013 07:28 AM

I think what you've described is what I am trying to achieve. Basically the logic I am trying to implement, using programming logic is:

If you see Username=testuser1 then appy DACL=testuseracl

Any more details you can provided would be appreciated.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to tobin_jim

‎02-07-2013 07:38 AM

[of running 5.3 and using AD then suggest to install latest 5.3 patch]

OK. Assume attribute is in AD and called DACL; then do the follwoing

1) Go to

Users and Identity Stores > External Identity Stores > Active Directory

and select "Directory Attributes" tab

2) Add the attribute called DACL and Save changes

3) Build the authorization profile that will return the DACL

go to

Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create

in "Common Tasks" tab, select "Dynamic" option for Downloadable ACL Name

then select "AD-AD1" and the attribute selected in step 2

and press Submit

You know an authoirzation profile that will dynamically retrieve the attribute from AD and use as the name of the downloadable ACS

4) Select this authoirzation profile as result in authorization policy

eg:

Access Policies > Access Services > Default Network Access > Authorization

Should be good to go

0 Helpful

Go to solution
tobin_jim
Level 1
Level 1
In response to jrabinow

‎02-18-2013 08:14 AM

Thanks for the response. Our external database if Radius but I think we can get it to send back a Radius attribute string that we can use to map the ACLs to.

0 Helpful
Customers Also Viewed These Support Documents