Nicely stated Sadiq
Best Regard
Dan
On May 31, 2012, at 13:30, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> ACS 5.x is only a beast until you understand how to unlock its power. Its a
> box that provides a network admin with incredible flexibility when it comes
> down to policies.
>
> First things first though, you have to give up your mentality of ACS 4.x
> when you start working with 5.x. ACS 5.x has a policy based approach to
> making defintions, which is different to the group/user-based one that you
> have in 4.x.
>
> I dont see any real issues/restrictions with what you are trying to do
> CitiWorm. You define Policy for all 3 types of protocols you have; TACACS,
> VPN and WIRELESS and you can define 3 different identity stores; Group 1, 2
> and 3, for example.
>
> When the access protocol is TACACS, you say users can only be authenticated
> in [Group1 or 2 or 3], for VPN, authenticate in [Group 1 or 2] and for
> WIRELESS, Group 1 only.
>
> Now, the above is quite an over simplification, since it now depends on if
> your users exist in the internal ACS store of they are now hosted in Active
> Directory for example. If this is the case, its still possible to import
> the group information from AD into ACS 5.x and then define the policies
> such that the authentication is done specific to AD groups that have been
> imported into ACS 5.x.
>
> HTH a little.
>
> Sadiq
>
> On TACACS
>
> On Thu, May 31, 2012 at 2:49 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:
>
>> You missed his point and question. He's not talking about the device
>> groups. If he's having, those types of issues, the issue is with the
>> restrictions.
>>
>> The groupings, called NDG's (network device groups), are applied to the
>> authorization groups.
>>
>> I had the issue with our 3.3 to 4.2, to 5.1 to 5.3 upgrades. To put it out
>> there, I had to use Cisco TAC for help as 5.x is a BEAST. I was hoping
>> that ACS would be at Cisco LIVE, but it's not. I guess this because the
>> RADIUS function is included in ISE and road mapped to be merged it full
>> TACACS into ISE.
>>
>> In short, I feel your pain. If you don't have support from TAC, i would
>> crack out the config guide and trial and error some examples to get your ha
>> ds around it. This is a larger problem than this distro can settle over
>> email, unfortunately.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (R&S)
>> Sent from iJay
>>
>> On May 29, 2012, at 7:34 PM, Radioactive Frog <pbhatkoti_at_gmail.com> wrote:
>>
>>> Same thing , grouping etc exists in ACS v5.x.
>>> Just the names are changed, now they called different name and there are
>>> multiple way to group - by location, by name, by device type etc!
>>>
>>>
>>> On Tue, May 29, 2012 at 7:27 PM, cityworm <cityworm_at_gmail.com> wrote:
>>>
>>>> Hi All
>>>>
>>>> Facing a issue with ACS 5.3 Appliance,
>>>> before we have ACS 4.2.1 windows 2003 version,which was having 3 no of
>>>> Groups VPN ,Wireless and Tacacs.
>>>> and we can be able to do group level restriction, like Tacacs group user
>>>> can access all 3 no of group
>>>> and whereas VPN group user can access VPN and Wireless, but the wireless
>>>> Group users can only access Wireless traffic.
>>>> But as we upgraded to ACS 5.3 appliance,which is not a group based
>>>> restriction,
>>>> so what is the solution for the above issue when we implement ACS 5.3
>>>> appliance i mean how should we go about it.
>>>>
>>>> Regards
>>>> Imran
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu May 31 2012 - 14:36:00 ART
This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:20 ART