03-15-2012 10:18 AM - edited 03-12-2019 05:40 PM
Looking for some help as I am new to this version of ACS.
Here is the scenario:
We have two device groups
There are 2 AAA devices in each group.
We have 4 Identity Stores
Our requirements
Any assistance you could give me with this would be much appreciated. If further information is required then please let me know.
Regards,
TC
Solved! Go to Solution.
03-16-2012 06:38 AM
Hi Thomas,
for point 1. configure an "Identity store sequence" that consists of :
-acs internal db
-External radius server
Let's call it "VPNSequence"
For point 2, configure an IDentity store sequence of :
-AD
-LDAP
Let's call it "Wireless Sequence"
Then configure the identity section of your "default network access" service.
Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").
Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.
This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)
03-16-2012 06:38 AM
Hi Thomas,
for point 1. configure an "Identity store sequence" that consists of :
-acs internal db
-External radius server
Let's call it "VPNSequence"
For point 2, configure an IDentity store sequence of :
-AD
-LDAP
Let's call it "Wireless Sequence"
Then configure the identity section of your "default network access" service.
Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").
Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.
This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)
03-20-2012 07:01 AM
Thanks a lot - that worked great - I hadnt noticed the sequence option for the identity stores!
Best regards,
Thomas.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: