Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1142
Views
0
Helpful
4
Replies

ACS 5.2 using AD to manage network device Admin policy creation

Go to solution
Marlon Malinao
Level 1
Level 1

‎05-23-2012 09:45 PM - edited ‎03-10-2019 07:07 PM

Hi All,

Need some light here, we managed to integrate our newly setup ACS 5.2 to our regional domain.  now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full  and read access respectively. 

i already have the default  identity policy and authorization policy with with command sets  fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that  each user falls under one of these groups will have a correct  read/write access.

regards,

marlon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎05-23-2012 09:56 PM

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jrabinow
Level 7
Level 7

‎05-23-2012 09:56 PM

You need to start to add rules to the authorization policy

Go to

Access Policies> Access Services > Default Device Admin > Authorization

Press "Customize" and make AD1:External Groups a select condition and press OK

You can now make rules based on AD groups content

Press create and check the AD1:External Groups option and now can now enter the groups you want to check to assign access

Note the set of groups available for selection is defined in

Users and Identity Stores > External Identity Stores > Active Directory

Only groups selected here are available in policy

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to jrabinow

‎05-23-2012 11:18 PM

Hi Thanks it works,

One question, how can i prevent other  users from logging in to the network devices, now all AD users will be able to access our network device.

regarda,

Marlon

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Marlon Malinao

‎05-23-2012 11:27 PM

You have made these rules based membership of regionalops and regionaladm groups. However, you seem to be implying that not all members of these groups should in fact have access and there are some members of these groups that should not have access? If so is there any way to dentify those that should have access? is there some AD attribute or group that exists or can be arranged to be configured so that can have utilzie in the policy rules? That would be the cleanest approach.

If not, how many users are there that you want to allow access to?

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to jrabinow

‎05-23-2012 11:50 PM

Hi Jrabinow,

  Its working now i created a Deny Rule for those ordinary member of Domain Users.

Thanks for the support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents