Re: ACS 5.3 Appliance Issue with Group Settings

ACS 5.x is only a beast until you understand how to unlock its power. Its a
box that provides a network admin with incredible flexibility when it comes
down to policies.

First things first though, you have to give up your mentality of ACS 4.x
when you start working with 5.x. ACS 5.x has a policy based approach to
making defintions, which is different to the group/user-based one that you
have in 4.x.

I dont see any real issues/restrictions with what you are trying to do
CitiWorm. You define Policy for all 3 types of protocols you have; TACACS,
VPN and WIRELESS and you can define 3 different identity stores; Group 1, 2
and 3, for example.

When the access protocol is TACACS, you say users can only be authenticated
in [Group1 or 2 or 3], for VPN, authenticate in [Group 1 or 2] and for
WIRELESS, Group 1 only.

Now, the above is quite an over simplification, since it now depends on if
your users exist in the internal ACS store of they are now hosted in Active
Directory for example. If this is the case, its still possible to import
the group information from AD into ACS 5.x and then define the policies
such that the authentication is done specific to AD groups that have been
imported into ACS 5.x.

HTH a little.

Sadiq

On TACACS

On Thu, May 31, 2012 at 2:49 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:

> You missed his point and question. He's not talking about the device
> groups. If he's having, those types of issues, the issue is with the
> restrictions.
>
> The groupings, called NDG's (network device groups), are applied to the
> authorization groups.
>
> I had the issue with our 3.3 to 4.2, to 5.1 to 5.3 upgrades. To put it out
> there, I had to use Cisco TAC for help as 5.x is a BEAST. I was hoping
> that ACS would be at Cisco LIVE, but it's not. I guess this because the
> RADIUS function is included in ISE and road mapped to be merged it full
> TACACS into ISE.
>
> In short, I feel your pain. If you don't have support from TAC, i would
> crack out the config guide and trial and error some examples to get your ha
> ds around it. This is a larger problem than this distro can settle over
> email, unfortunately.
>
> Regards,
> Jay McMickle- CCIE #35355 (R&S)
> Sent from iJay
>
> On May 29, 2012, at 7:34 PM, Radioactive Frog <pbhatkoti_at_gmail.com> wrote:
>
> > Same thing , grouping etc exists in ACS v5.x.
> > Just the names are changed, now they called different name and there are
> > multiple way to group - by location, by name, by device type etc!
> >
> >
> > On Tue, May 29, 2012 at 7:27 PM, cityworm <cityworm_at_gmail.com> wrote:
> >
> >> Hi All
> >>
> >> Facing a issue with ACS 5.3 Appliance,
> >> before we have ACS 4.2.1 windows 2003 version,which was having 3 no of
> >> Groups VPN ,Wireless and Tacacs.
> >> and we can be able to do group level restriction, like Tacacs group user
> >> can access all 3 no of group
> >> and whereas VPN group user can access VPN and Wireless, but the wireless
> >> Group users can only access Wireless traffic.
> >> But as we upgraded to ACS 5.3 appliance,which is not a group based
> >> restriction,
> >> so what is the solution for the above issue when we implement ACS 5.3
> >> appliance i mean how should we go about it.
> >>
> >> Regards
> >> Imran
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net