ACS 5.5 Configuration Example? Multi-site Ideas...

NathanPusnik · ‎03-13-2014

Hi Folks,

Working on deploying ACS 5.5 in a multi-site (5+) environment. With groups going away, what is the best way to allow location based access?. So far, I have the following - but it seems way overcomplicated.

Each device is assigned a location in the NDG

User Attributes: Location Restriction (string)

Device Restrictions - Enumeration (e.g. Router: Read <or> Read/Write <or> No Access)

Access Service Selection - Each site has its own TACACS and RADIUS Access Service
(e.g. SITE_A-TACACS, SITE_A-RADIUS, SITE_B-TACACS....etc)
Matches are done on NDG Location and Protocol

Each SITE Access service (SITE_A-TACACS) has role based policies per device type. The following is an authorization policy for SITE_A Router Admin Access

Router Admin Policy

Check User Attribute: Device Restrictions: Enumeration Value: Router Admin

AND

- Check User Attributes: String: Location Restriction ( IF CONTAINS ) SITE_A
OR

-Check User Attributes: String: Location Restriction ( IF CONTAINS ) None

Shell: Router Admin

Command Set: Router Admin

It works great, however, that means the rules need to be duplicated if a new site is brought online. Also, if a new device type is created, say, Firewalls, an additional user attribute would need to be created and all users updated. Additionally, all sites in the service selection would need the appropriate device type added - SITE_A,B,C,etc would need a firewall authorization profile created.

Thanks for reading

Naveen Kumar · ‎03-27-2014

Nathan, thanks for sharing this info.

edelgado · ‎03-31-2014

Hello,

ACS is a policy base server and as every policy server you need to comply with a set of conditions to have a result.

The best way to do it is by having as condition NDG location + NDG Device Type + User AD or local group = xxxx permission.

Regards,

Erick Delgado