Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
2
Replies

ACS 5.1 - user attributes

Przemyslaw Konitz
Level 1
Level 1

‎08-10-2010 03:12 AM - edited ‎03-10-2019 05:19 PM

hi,

I test ACS 5.1 and have some questions to be answered 

General concept suits me well (service policy, access policy and so on). Its very flexible but what Im looking for right now is the way to assign privilege-level attribute only to specific user. I've only managed to assign shell profiles to specific condition, but for me it doesn't make sense to create new rule per each user.

Is there a way to make it different? Similar to version 4.2 of ACS where user attributes overrided group attributes?

And the 2nd question:

what the Dictionaries (TACACS+, RADIUS) are for? they list only attrubutes (there are checkbox but for what purpose?). Where they can be used?

thx for explaination

regards

Labels:
0 Helpful
2 Replies 2

jrabinow
Level 7
Level 7

‎08-10-2010 03:30 AM

Are you using the internal user database for your user definition. If so can assign privelege levels as follows:

- Create internal user attribute for "priv level"

- For each user enter the assigned priv level

- Creaate a shell profile for each of the priv levels you wish to assign

Create a rule in authoration for each priv level you wish to assign:

- if "user-attribute.priv-level" equals 1 then result "shell profile with priv level equals 1"

The RADIUS and TACACS+ dictionaries can be used in policy conditions and RADIUS attributes used in authoirzation profiles

0 Helpful

Przemyslaw Konitz
Level 1
Level 1
In response to jrabinow

‎08-10-2010 03:48 AM

Thx for reply.

I tried that way and it works however it is not completely what I looking for. Why? Because it makes me to define too many rules in authorization section of Access Services.

In some way it is simple but...

The situation can get worse if other conditions are different and I need to distinguish them additionally by privil-level-condition.

I tried it that way:

I defined a mandatory user attibute (priv-lvl: unsigned integer 32) and assigned Policy Condition Dislpay Name (privil-level-condition).

I have 4 user class and more additional conditions in rule definition (identity group, location, device type, time&date ...)

if all other condtions are the same and only privil-level-condition is different new rules need to be created (which generally are the same) with different "shell profile" result.

Am I correct?

Is this the only way to do this?

Additional question:

how to combine it with IAS RADIUS server which can return AV-attribute (priv-lvl for example). Is this condition and new rule need to be done as well? with shell-provfile result? Doesit always need to be returend (privilege level attribute) as shell-profile result?

regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents