Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
2
Replies

4.2 to 5.3 Migration - Policy grouping issue

simon-walker
Level 1
Level 1

‎01-09-2014 07:26 AM - last edited on ‎03-09-2022 11:21 PM by Community Manager

Hi

I am looking for some advice to an issue I am experiencing with an ACS migration from 4.2 to 5.3. I have used the migration utility and transferred all the ID groups, Network devices incl their groups etc to 5.3 without any issues.

in 4.2 we heavily favoured permissions based on network device groups, in 5.3 as you may know this is not possible.

The issue I have is this:

The 3000 devices are split across 38 networks - Nothing can be done to change this due to the network device function.

Accessing these devices are 44 different User ID groups. All with varying levels of permissions to the networks they have access to.

I have tried to various methods to create new NDG's and ID Stores to group devices and/or Users to limit the number of Policy rules I will need but so far I have been unable to come up with a solution.

I could create a rule for situation, this however would result in a rule base of over 500 rules.

Why Cisco did not build ACS 5.X with the ability to allow several groups to connect to one NDG using one rule escapes me.

Any help advice would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎01-11-2014 04:27 AM

You should be able to use ndg with acs policies.

Are you trying to use AD groups or acs internal user groups.

Also have you tries upgrading to acs 5.4 latest patch or acs 5.5 to rule out the possibility of any bugs?

Sounds like you will need to rely on the compound condition configuration which requires you to use the customize button on the bottom right under the access policies section.


Sent from Cisco Technical Support Android App

0 Helpful

simon-walker
Level 1
Level 1
In response to Tarik Admani

‎01-13-2014 02:43 AM

The main issue I have is that I can only assign network group and one network device group to a rule. let me give you an example. I have one network device group, accessing that group I have 4 teams all with the same permissions, I cannot create one rule for this as I can only assign one user group to the policy rule. I could I guess create a new network group BUT there other network device groups that potentially three of these User groups dont have access to.

I have thought about building hierarchies of user groups and or network device groups but do not beleive this would work based on the many NDG access all the groups have access to.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents