Adding to Sadiq's explanation. The policy engine has been separated to
default device admin and default network access. This can be further broken
out but defaults do well for most cases. First thing that is done in the
policy is to ID the identity store (AD, Local, lDAP, etc). This is
configured prior to working on policy. Next step is to work on policy.
Policies for network devices (mostly TACACS enabled) will end up using the
default device admin. Once the identity store has been defined, AAA devices
populated you can begin to build policy.Same goes for default network
access (vpn, wifi, RADIUS).
Working on both 4.X and 5.X, I do believe 5.X is a ton more flexible and
intuitive to administer.
Marc
On Thu, May 31, 2012 at 6:36 AM, daniel.onwude <igevioya_at_gmail.com> wrote:
> Nicely stated Sadiq
>
> Best Regard
> Dan
>
> On May 31, 2012, at 13:30, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>
> > ACS 5.x is only a beast until you understand how to unlock its power.
> Its a
> > box that provides a network admin with incredible flexibility when it
> comes
> > down to policies.
> >
> > First things first though, you have to give up your mentality of ACS 4.x
> > when you start working with 5.x. ACS 5.x has a policy based approach to
> > making defintions, which is different to the group/user-based one that
> you
> > have in 4.x.
> >
> > I dont see any real issues/restrictions with what you are trying to do
> > CitiWorm. You define Policy for all 3 types of protocols you have;
> TACACS,
> > VPN and WIRELESS and you can define 3 different identity stores; Group
> 1, 2
> > and 3, for example.
> >
> > When the access protocol is TACACS, you say users can only be
> authenticated
> > in [Group1 or 2 or 3], for VPN, authenticate in [Group 1 or 2] and for
> > WIRELESS, Group 1 only.
> >
> > Now, the above is quite an over simplification, since it now depends on
> if
> > your users exist in the internal ACS store of they are now hosted in
> Active
> > Directory for example. If this is the case, its still possible to import
> > the group information from AD into ACS 5.x and then define the policies
> > such that the authentication is done specific to AD groups that have been
> > imported into ACS 5.x.
> >
> > HTH a little.
> >
> > Sadiq
> >
> > On TACACS
> >
> > On Thu, May 31, 2012 at 2:49 AM, Jay McMickle <jay.mcmickle_at_yahoo.com
> >wrote:
> >
> >> You missed his point and question. He's not talking about the device
> >> groups. If he's having, those types of issues, the issue is with the
> >> restrictions.
> >>
> >> The groupings, called NDG's (network device groups), are applied to the
> >> authorization groups.
> >>
> >> I had the issue with our 3.3 to 4.2, to 5.1 to 5.3 upgrades. To put it
> out
> >> there, I had to use Cisco TAC for help as 5.x is a BEAST. I was hoping
> >> that ACS would be at Cisco LIVE, but it's not. I guess this because the
> >> RADIUS function is included in ISE and road mapped to be merged it full
> >> TACACS into ISE.
> >>
> >> In short, I feel your pain. If you don't have support from TAC, i would
> >> crack out the config guide and trial and error some examples to get
> your ha
> >> ds around it. This is a larger problem than this distro can settle over
> >> email, unfortunately.
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355 (R&S)
> >> Sent from iJay
> >>
> >> On May 29, 2012, at 7:34 PM, Radioactive Frog <pbhatkoti_at_gmail.com>
> wrote:
> >>
> >>> Same thing , grouping etc exists in ACS v5.x.
> >>> Just the names are changed, now they called different name and there
> are
> >>> multiple way to group - by location, by name, by device type etc!
> >>>
> >>>
> >>> On Tue, May 29, 2012 at 7:27 PM, cityworm <cityworm_at_gmail.com> wrote:
> >>>
> >>>> Hi All
> >>>>
> >>>> Facing a issue with ACS 5.3 Appliance,
> >>>> before we have ACS 4.2.1 windows 2003 version,which was having 3 no of
> >>>> Groups VPN ,Wireless and Tacacs.
> >>>> and we can be able to do group level restriction, like Tacacs group
> user
> >>>> can access all 3 no of group
> >>>> and whereas VPN group user can access VPN and Wireless, but the
> wireless
> >>>> Group users can only access Wireless traffic.
> >>>> But as we upgraded to ACS 5.3 appliance,which is not a group based
> >>>> restriction,
> >>>> so what is the solution for the above issue when we implement ACS 5.3
> >>>> appliance i mean how should we go about it.
> >>>>
> >>>> Regards
> >>>> Imran
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > CCIEx2 (R&S|Sec) #19963
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu May 31 2012 - 10:03:36 ART
This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:20 ART