Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

825
Views
0
Helpful
2
Replies
thomaschalmers
thomaschalmers Beginner
Beginner
‎03-15-2012 10:18 AM
‎03-15-2012 10:18 AM

ACS 5.2 Access Policies problem

Looking for some help as I am new to this version of ACS.

Here is the scenario:

We have two device groups

  1. ASAs for VPN access
  2. Wireless Controllers

There are 2 AAA devices in each group.

We have 4 Identity Stores

  1. ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAs
  2. External Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.
  3. We have mapped AD groups - this is used for allowing access for wireless users.
  4. LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation.

Our requirements

  1. We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.
  2. We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.

Any assistance you could give me with this would be much appreciated. If further information is required then please let me know.

Regards,

TC

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Nicolas Darchis
Nicolas Darchis Cisco Employee
Cisco Employee
‎03-16-2012 06:38 AM
‎03-16-2012 06:38 AM

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Nicolas Darchis
Nicolas Darchis Cisco Employee
Cisco Employee
‎03-16-2012 06:38 AM
‎03-16-2012 06:38 AM

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

View solution in original post

0 Helpful
Reply
thomaschalmers
thomaschalmers Beginner
Beginner
‎03-20-2012 07:01 AM
‎03-20-2012 07:01 AM

ACS 5.2 Acces Policies problem

Thanks a lot - that worked great - I hadnt noticed the sequence option for the identity stores!

Best regards,

Thomas.

0 Helpful
Reply
Latest Contents
The year in cyber threats: A look back at the tools and tact...
Created by Kelli Glass on 12-13-2019 03:37 PM
0
0
0
0
How would your organization perform against the cyberattacks of 2019? Protect your organization in 2020 by learning about the biggest cyberthreats of the year. Read the latest Cisco Cybersecurity Report 
#CiscoChat Live: 2019 Cyber Threats of the Year
Created by Kelli Glass on 12-13-2019 03:19 PM
0
0
0
0
Join us live on Tuesday, December 17 at 9 am PT (and on demand after) to learn about the cyber threats of 2019 and how to defend your organization in the future.   Some cybercriminals have specific organizations in mind when they’re planning an attac... view more
#CiscoChat Live: 2019 Cyber Threats of the Year
Created by Kelli Glass on 12-13-2019 03:17 PM
0
0
0
0
Join us live on Tuesday, December 17 at 9 am PT (and on demand after) to learn about the cyber threats of 2019 and how to defend your organization in the future. Some cybercriminals have specific organizations in mind when they’re planning an attack. We l... view more
Stealthwatch Enterprise - what capabilities does it provide ...
Created by ben.greenbaum on 12-12-2019 11:27 AM
0
0
0
0
Threat Response integrates with Cisco Stealthwatch Enterprise (SWE) to provide Visibility into network threats. By adding an SWE module to Threat Response, investigators will be able to search for network flows to or from IP addresses that have been reco... view more
Monitoring Failover status (ASA Cluster, Active/Standby) by ...
Created by Oleg Volkov on 12-12-2019 02:26 AM
0
0
0
0
Hi.Want to know Failover cluster status? If You have PRTG do it in 5 min.Download my sensor.Deploy REST API to Your ASA,sAdd my sensor to PRTG and set parameters:In PRTG device settings add linux user and password (ASA user, which have read permissions)-u... view more
CreatePlease to create content
Discussion
Blog
Document
Video