Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
2
Replies

ACS 5.2 Access Policies problem

Go to solution
thomaschalmers
Level 1
Level 1

‎03-15-2012 10:18 AM - edited ‎03-12-2019 05:40 PM

Looking for some help as I am new to this version of ACS.

Here is the scenario:

We have two device groups

  1. ASAs for VPN access
  2. Wireless Controllers

There are 2 AAA devices in each group.

We have 4 Identity Stores

  1. ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAs
  2. External Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.
  3. We have mapped AD groups - this is used for allowing access for wireless users.
  4. LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation.

Our requirements

  1. We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.
  2. We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.

Any assistance you could give me with this would be much appreciated. If further information is required then please let me know.

Regards,

TC

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎03-16-2012 06:38 AM

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎03-16-2012 06:38 AM

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

0 Helpful

Go to solution
thomaschalmers
Level 1
Level 1
In response to Nicolas Darchis

‎03-20-2012 07:01 AM

Thanks a lot - that worked great - I hadnt noticed the sequence option for the identity stores!

Best regards,

Thomas.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents