cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
383
Views
0
Helpful
2
Replies

ACS 5.5 Configuration Example? Multi-site Ideas...

NathanPusnik
Level 1
Level 1

Hi Folks,

Working on deploying ACS 5.5 in a multi-site (5+) environment.  With groups going away, what is the best way to allow location based access?.  So far, I have the following - but it seems way overcomplicated.

 

Each device is assigned a location in the NDG

User Attributes: Location Restriction (string)

Device Restrictions - Enumeration (e.g. Router: Read <or> Read/Write <or> No Access)

 

Access Service Selection - Each site has its own TACACS and RADIUS Access Service
(e.g. SITE_A-TACACS, SITE_A-RADIUS, SITE_B-TACACS....etc)
Matches are done on NDG Location and Protocol

Each SITE Access service (SITE_A-TACACS) has role based policies per device type. The following is an authorization policy for SITE_A Router Admin Access

Router Admin Policy

Check User Attribute: Device Restrictions: Enumeration Value: Router Admin

AND

- Check User Attributes: String: Location Restriction ( IF CONTAINS ) SITE_A
 OR

-Check User Attributes: String: Location Restriction ( IF CONTAINS ) None

Shell: Router Admin

Command Set:  Router Admin


It works great, however, that means the rules need to be duplicated if a new site is brought online.  Also, if a new device type is created, say, Firewalls, an additional user attribute would need to be created and all users updated.  Additionally, all sites in the service selection would need the appropriate device type added - SITE_A,B,C,etc would need a firewall authorization profile created.

 

Thanks for reading

2 Replies 2

Naveen Kumar
Level 4
Level 4

edelgado
Level 1
Level 1

Hello,

 

ACS is a policy base server and as every policy server you need to comply with a set of conditions to have a result.

 

The best way to do it is by having as condition NDG location + NDG Device Type + User AD or local group = xxxx permission.

 

Regards,

 

Erick Delgado

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: