ACS v5.5 authorization rules 320 limit
I am about embark on a large service provider ACS migration / installation and I suspect I am going to need more than 320 authorization rules, which is the limit stated in ACS v5.5 release notes.
Is the limit for the maximum number of rules for an Access Service, or for the ACS totally?
The limitation is for total acs
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#90057
Table 13 Limitations in ACS Deployments
Object Type
ACS System Limits
ACS Instances
22
Hosts
150,000
Identity Groups
1,000
Active Directory Group Retrieval
1,500
Network Devices
100,000
Network Device Groups
12
Device Hierarchies
6
All Locations
10,000
All Device Types
350
Services
25
Authorization Rules
320
Conditions
8
Authorization Profile
600
Service Selection Policy (SSP)
50
Network Conditions (NARs)
3,000
ACS Admins
50
9 static roles
dACLs
600 dACL with 100 ACEs each
Similar Messages
-
ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule
Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.
-
Max Authorization Rules in ISE
Just curious if anyone knew the max number of authorization rules you can have in an ISE deployment?
Sent from Cisco Technical Support iPad AppI read a discussion and its says, dev's have tested and support 140 Authorization rules in ISE 1.1.x.
Jatin Katyal
- Do rate helpful posts - -
OAM : Multi-valued attribute in Authorization Rule Actions
Our application is protected by an Oracle Access Manager deployment, where the identity user base is based in an Oracle Internet Directory.
In the OID, for every user entry, we have a multi valued attribute (say, 'roleattr') which contains the roles recognized in our application. Once the user is authenticated by the Access Server, we need the roles associated to him to be fetched and returned in the page header (similar to uid).
Hence, our question is, in PolicyManager, by setting the Authorization Rule > Actions, is it possible to retrieve this attribute (which is 'multivalued') and populated into the pageHeader, so that our application can retrieve the same.Sure, you'll get a colon-delimited list of the multiple values in your header!
-Vinod -
Creating LDAP filter in authorization rule OAM 10G
Hi,
I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
Please Help
Thanks
Edited by: 904630 on Dec 27, 2011 5:34 AM
Edited by: 904630 on Dec 27, 2011 5:36 AMOpen Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
Hope it works for your as well :) -
Authorization Rule Success Return Value HeaderVar not found?
policy manager
policy domain
authorization rule
actions
success
return
Type Name Return Value
HeaderVar REMOTE_EMAIL xxx
Type Name Return Attribute
HeaderVar REMOTE-EMAIL mail
But, can not find any value for entry REMOTE_EMAIL or REMOTE-EMAIL, no matter in asp or jsp.
Other cookies values are OK. I doubt the headervar is set or not, or "HeaderVar" is correct.
Thanks!The page where you are expecting the HeaderVar to be shown is the resource protected or it is set as Authorization redirection action? If as action, please protect the page by OAM (set the HeaderVar in the Policy) and access the page directly and see if it shows the headerVar.
HTH. -
ACS 5.3 cannot create default network access authorization rule
Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!
Looks like you are using chrome amd it's not a supported browser.
Supported Web Client/Browsers
You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
•Windows 7 32 bit
•Windows XP Professional (Service Pack 2 and 3)
•Windows Vista
•Internet Explorer version 7.x
•Internet Explorer version 8.x
•Internet Explorer version 9.x
•Mozilla Firefox version 3.x
•Mozilla Firefox version 4.x
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
Jatin Katyal
- Do rate helpful posts - -
Hi,
I am in the process of setting up OAM/OID to provide secure access to a website.
Part of the website is public and part of the website is secure.
For the secure part I want to limit access to a particular group of users who belong to i.e. secureGroup which has been created through the GroupManager function of Identity Administration.
I have created a Policy Domain for the protected part. I have also created an Authorisation Rule for the allowed users to grant them access. My understanding is that I need to create an LDAP rule to provide access to the group in question.
What is the format of the rule?. the documentation goes a bit light as to the fomat of the rule. I am just not sure how to say - is current user a member of secureGroup.....
Any help or pointers would be useful.You're on the right track, however, the LDAP filter definition will not help you with a group based authorization decision (as a 'group' object never logs into the system).
Hit the 'select user' button which opens the OAM selector app. Look closely in the top right hand corner of the UI for blue links on the blue background - one for Employees, one for Groups. Select Groups and then search for and select your group object. Save the rule.
You can make the UI better by defining tab images for the person and group objectclasses - then those links are much more obvious.
Mark -
ACS 5.3 authorization with Juniper WXC-3400
In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS 4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3 tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
A capture shows Auth Status: 0x11 (ERROR).
Any ideas?
Thanks in advance!No. Time Source Destination VLAN Protocol Info
18 09:14:00.268166580 WX_Juniper ACS_5_3 TACACS+ Q: Authorization
Frame 18: 107 bytes on wire (856 bits), 107 bytes captured (856 bits)
Ethernet II, Src: Cisco_cd:46:af (00:07:7d:cd:46:af), Dst: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63)
Internet Protocol, Src: WX_Juniper (WX_Juniper), Dst: ACS_5_3 (ACS_5_3)
Transmission Control Protocol, Src Port: l2c-control (4371), Dst Port: tacacs (49), Seq: 1, Ack: 1, Len: 49
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 1
Flags: 0x04 (Encrypted payload, Single connection)
Session ID: 1491582254
Packet length: 37
Encrypted Request
Decrypted Request
Auth Method: TACACSPLUS
Privilege Level: 1
Authentication type: ASCII
Service: Login
User len: 8
User: stmartin
Port len: 7
Port: console
Remaddr len: 0
Arg count: 1
Arg[0] length: 13
Arg[0] value: service=shell
No. Time Source Destination VLAN Protocol Info
20 09:14:00.271608140 ACS_5_3 WX_Juniper TACACS+ R: Authorization
Frame 20: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Ethernet II, Src: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63), Dst: Cisco_cd:46:af (00:07:7d:cd:46:af)
Internet Protocol, Src: ACS_5_3 (ACS_5_3), Dst: WX_Juniper (WX_Juniper)
Transmission Control Protocol, Src Port: tacacs (49), Dst Port: l2c-control (4371), Seq: 1, Ack: 50, Len: 18
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1491582254
Packet length: 6
Encrypted Reply
Decrypted Reply
Auth Status: 0x11 (ERROR)
Server Msg length: 0
Data length: 0
Arg count: 0 -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
Secure ACS 4.2 Authorization Profiles
Hi,
I have two user groups and I want to use my first group to use with authentication to the network devices. Second group should be only used for 802.1x network access and no access to network devices. How can we do it with the authorization profiles, any example?
ThanksHello,
First of all, take backup (as a precaution to be able to restore config if something goes wrong) then proceed witht the following:
- Remove the windows domain configuration (group mapping...etc) from the server before changing the domain.
- Change the domain membership then reboot.
- follow the post-installatino tasks for ACS (check this link): http://tiny.cc/zr6huw.
- Configure the external database again on the ACS (group mapping, unknown user policy..etc).
You need to notice also that if the new domain controller is Windows Server 2008 R2, that is not supported in ACS 4.x.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Settlement, Distribution rule; Validity limit
Dear All,
When ever i m creating the Internal Order in KO01, the following are the things i maintained in the Order;
Settlement Profile in Order Type
Its is a Real Order
Stastical Order CB was Deselect;
These are the things i maintained even though it shows the following Errors;
1. Enter a distribution rule for WBS element without a validity limit
Message no. KD059
2. Enter a distribution rule for Cost center without a validity limit
Message no. KD059
Actually my doubt is where we have to maintain the Validity Limit? In Settlement Profile or where?
Regards
RajDear Greta Baranyai
Here it shows the following error while doing the settlement in cj88, here the sender is the WBS; In that WBS I mantained the Rule Recevier Cat : CTR, Cost Center Name: XXX, Settlement : Full, & 100 etc., Even though it shows the following Error.
Error:- Maintain the settlement rule of the sender
Message no. KD205
Any help
Regards
Raj -
ACS File Operation Bulk Upload (Device limit?)
Hi
I was trying to upload about 250 devices to my ACS server using the file operations option.
I downloaded the template added the devices but when I try the add the 250 devices only 15 would
add at any one time. Why? Does anyone know what the problem might be?
I've modified the template many times to see if the template was the issue however every time it's
limited to 15 devices.
I've already uploaded the devices manually but for future users and myself I'm wondering if anyone knows
the what the reason could be.
Cheers,
PaulThere is no built in limit and have seen this working with many more than 15 devices;but cannot say what your issue was without seeing the file you used
One thing you could try is doing an export and can then see file format/contents for all devices -
ACS Tacacs+ aaa authorization commands
Hi,
I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
Many thanks
PatriceYes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
Setting Up and Managing Shared Profile Components
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
hth -
ACS shell command authorization help
Hello,
I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
ThanksTwo things could be wrong
1) You don't have the following command on your AAA Client:
aaa authorization config-commands
2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards
Farrukh
Maybe you are looking for
-
Waking my iMac when I want to connect my Mac Book Pro
When my iMac is awake and I click on Connect to Server, the connection is instant. However, when it's asleep, no go. Is there anyway to wake up the Imac from my Mac Book? thanks, bobbi
-
I have an Airport Express and I have used it as a extension from my Airport Extreme. I have brought it into work today to create a wireless signal via an ethernet cable but the light is flashing orange and is sending out no signal. Do I have to re-co
-
Can't set refresh rate to 75 with Samsung SyncMaster 932 BF
Hi, I can't set refresh rate to 75Hz both in Gnome display properties and in Nvidia panel. So i have it stuck at 60Hz. I've tried several solutions i found on forums but none of them worked Here is my xorg.conf : # nvidia-xconfig: X configuration fil
-
I have an Ipod touch 4 I cant get facetime to work on it. I just bought it a couple weeks ago, and havent been able to sign in to face time at all The unit let me sign in my user ID and pass word, but on the next page it say "verifying", and then goe
-
How can I reverse the posting generated by MF47 or COGI?
Hi, Using transaction MF47 I have generated a posting document. But when I ran MF47 I did it with the wrong posting date, so the accounting document generated by transaction MF47 has the wrong posting date. I would like to reverse the document genera