cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

825
Views
0
Helpful
2
Replies
Beginner

ACS 5.2 Access Policies problem

Looking for some help as I am new to this version of ACS.

Here is the scenario:

We have two device groups

  1. ASAs for VPN access
  2. Wireless Controllers

There are 2 AAA devices in each group.

We have 4 Identity Stores

  1. ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAs
  2. External Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.
  3. We have mapped AD groups - this is used for allowing access for wireless users.
  4. LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation.

Our requirements

  1. We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.
  2. We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.

Any assistance you could give me with this would be much appreciated. If further information is required then please let me know.

Regards,

TC

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

View solution in original post

2 REPLIES 2
Cisco Employee

ACS 5.2 Acces Policies problem

Hi Thomas,

for point 1. configure an "Identity store sequence" that consists of :

-acs internal db

-External radius server

Let's call it "VPNSequence"

For point 2, configure an IDentity store sequence of :

-AD

-LDAP

Let's call it "Wireless Sequence"

Then configure the identity section of your "default network access" service.

Put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators". You will obviously put all ASAs there). The identity store used will be the sequence you created above("VPNSequence").

Create a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

This should authenticate everyone accordingly. However only "permit access" will be returned. If you want to return various attributes, it's in the authorization tab and it's another topic :-)

View solution in original post

Beginner

ACS 5.2 Acces Policies problem

Thanks a lot - that worked great - I hadnt noticed the sequence option for the identity stores!

Best regards,

Thomas.