ACS v5.5 authorization rules 320 limit

Similar Messages

• ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

  Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
  ACS version: 5.3.0.40.6 (internal build B.839)
  I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
  Requested Identity Group exist
  Testing user is created in Internal Users and has assigned requested Identity Group
  Radius Access Policy: 
  Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
  Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
  When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
  I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
  What I am tested:
  Remove testing user and create his account again.
  Rename Identity Group
  Use another Identity Group
  Remove Access Policy rule and create it again
  Use Compound Condition: System:Identity Group
  Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
  Do you have any idea where problem can be?

  OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

• Max Authorization Rules in ISE

  Just curious if anyone knew the max number of authorization rules you can have in an ISE deployment?
  Sent from Cisco Technical Support iPad App

  I read a discussion and its says, dev's have tested and support 140 Authorization rules in  ISE 1.1.x.
  Jatin Katyal
  - Do rate helpful posts -

• OAM : Multi-valued attribute in Authorization Rule Actions

  Our application is protected by an Oracle Access Manager deployment, where the identity user base is based in an Oracle Internet Directory.
  In the OID, for every user entry, we have a multi valued attribute (say, 'roleattr') which contains the roles recognized in our application. Once the user is authenticated by the Access Server, we need the roles associated to him to be fetched and returned in the page header (similar to uid).
  Hence, our question is, in PolicyManager, by setting the Authorization Rule > Actions, is it possible to retrieve this attribute (which is 'multivalued') and populated into the pageHeader, so that our application can retrieve the same.

  Sure, you'll get a colon-delimited list of the multiple values in your header!
  -Vinod

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• Authorization Rule Success Return Value HeaderVar not found?

  policy manager
  policy domain
  authorization rule
  actions
  success
  return
  Type           Name           Return Value
  HeaderVar           REMOTE_EMAIL           xxx
  Type           Name           Return Attribute
  HeaderVar           REMOTE-EMAIL           mail
  But, can not find any value for entry REMOTE_EMAIL or REMOTE-EMAIL, no matter in asp or jsp.
  Other cookies values are OK. I doubt the headervar is set or not, or "HeaderVar" is correct.
  Thanks!

  The page where you are expecting the HeaderVar to be shown is the resource protected or it is set as Authorization redirection action? If as action, please protect the page by OAM (set the HeaderVar in the Policy) and access the page directly and see if it shows the headerVar.
  HTH.

• ACS 5.3 cannot create default network access authorization rule

  Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

  Looks like you are using chrome amd it's not a supported browser.
  Supported Web Client/Browsers
  You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
  •Windows 7 32 bit
  •Windows XP Professional (Service Pack 2 and 3)
  •Windows Vista
  •Internet Explorer version 7.x
  •Internet Explorer version 8.x
  •Internet Explorer version 9.x
  •Mozilla Firefox version 3.x
  •Mozilla Firefox version 4.x
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
  Jatin Katyal
  - Do rate helpful posts -

• Authorization Rules.

  Hi,
  I am in the process of setting up OAM/OID to provide secure access to a website.
  Part of the website is public and part of the website is secure.
  For the secure part I want to limit access to a particular group of users who belong to i.e. secureGroup which has been created through the GroupManager function of Identity Administration.
  I have created a Policy Domain for the protected part. I have also created an Authorisation Rule for the allowed users to grant them access. My understanding is that I need to create an LDAP rule to provide access to the group in question.
  What is the format of the rule?. the documentation goes a bit light as to the fomat of the rule. I am just not sure how to say - is current user a member of secureGroup.....
  Any help or pointers would be useful.

  You're on the right track, however, the LDAP filter definition will not help you with a group based authorization decision (as a 'group' object never logs into the system).
  Hit the 'select user' button which opens the OAM selector app. Look closely in the top right hand corner of the UI for blue links on the blue background - one for Employees, one for Groups. Select Groups and then search for and select your group object. Save the rule.
  You can make the UI better by defining tab images for the person and group objectclasses - then those links are much more obvious.
  Mark

• ACS 5.3 authorization with Juniper WXC-3400

  In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS  4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3  tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
  A capture shows Auth Status: 0x11  (ERROR).
  Any ideas?
  Thanks in advance!

  No.     Time               Source                Destination           VLAN Protocol Info
  18 09:14:00.268166580      WX_Juniper             ACS_5_3           TACACS+  Q: Authorization
  Frame 18: 107 bytes on wire (856 bits), 107 bytes captured (856 bits)
  Ethernet II, Src: Cisco_cd:46:af (00:07:7d:cd:46:af), Dst: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63)
  Internet Protocol, Src: WX_Juniper (WX_Juniper), Dst: ACS_5_3 (ACS_5_3)
  Transmission Control Protocol, Src Port: l2c-control (4371), Dst Port: tacacs (49), Seq: 1, Ack: 1, Len: 49
  TACACS+
      Major version: TACACS+
      Minor version: 0
      Type: Authorization (2)
      Sequence number: 1
      Flags: 0x04 (Encrypted payload, Single connection)
      Session ID: 1491582254
      Packet length: 37
      Encrypted Request
      Decrypted Request
          Auth Method: TACACSPLUS
          Privilege Level: 1
          Authentication type: ASCII
          Service: Login
          User len: 8
          User: stmartin
          Port len: 7
          Port: console
          Remaddr len: 0
          Arg count: 1
          Arg[0] length: 13
          Arg[0] value: service=shell
  No.     Time               Source                Destination           VLAN Protocol Info
       20 09:14:00.271608140 ACS_5_3       WX_Juniper             TACACS+  R: Authorization
  Frame 20: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
  Ethernet II, Src: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63), Dst: Cisco_cd:46:af (00:07:7d:cd:46:af)
  Internet Protocol, Src: ACS_5_3 (ACS_5_3), Dst: WX_Juniper (WX_Juniper)
  Transmission Control Protocol, Src Port: tacacs (49), Dst Port: l2c-control (4371), Seq: 1, Ack: 50, Len: 18
  TACACS+
      Major version: TACACS+
      Minor version: 0
      Type: Authorization (2)
      Sequence number: 2
      Flags: 0x00 (Encrypted payload, Multiple Connections)
      Session ID: 1491582254
      Packet length: 6
      Encrypted Reply
      Decrypted Reply
          Auth Status: 0x11 (ERROR)
          Server Msg length: 0
          Data length: 0
          Arg count: 0

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• Secure ACS 4.2 Authorization Profiles

  Hi,
  I have two user groups and I want to use my first group to use with authentication to the network devices. Second group should be only used for 802.1x network access and no access to network devices. How can we do it with the authorization profiles, any example?
  Thanks

  Hello,
  First of all, take backup (as a precaution to be able to restore config if something goes wrong) then proceed witht the following:
  - Remove the windows domain configuration (group mapping...etc) from the server before changing the domain.
  - Change the domain membership then reboot.
  - follow the post-installatino tasks for ACS (check this link): http://tiny.cc/zr6huw.
  - Configure the external database again on the ACS (group mapping, unknown user policy..etc).
  You need to notice also that if the new domain controller is Windows Server 2008 R2, that is not supported in ACS 4.x.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Settlement, Distribution rule; Validity limit

  Dear All,
  When ever i m creating the Internal Order in KO01, the following are the things i maintained in the Order;
  Settlement Profile in Order Type
  Its is a Real Order
  Stastical Order CB was Deselect;
  These are the things i maintained even though it shows the following Errors;
  1. Enter a distribution rule for WBS element without a validity limit
      Message no. KD059
  2. Enter a distribution rule for Cost center without a validity limit
      Message no. KD059
  Actually my doubt is where we have to maintain the Validity Limit? In Settlement Profile or where?
  Regards
  Raj

  Dear Greta Baranyai      
  Here it shows the following error while doing the settlement in cj88, here the sender is the WBS; In that WBS I mantained the Rule Recevier Cat : CTR, Cost Center Name: XXX, Settlement : Full, & 100 etc.,  Even though it shows the following Error.
  Error:- Maintain the settlement rule of the sender
             Message no. KD205
  Any help
  Regards
  Raj

• ACS File Operation Bulk Upload (Device limit?)

  Hi
  I was trying to upload about 250 devices to my ACS server using the file operations option.
  I downloaded the template added the devices but when I try the add the 250 devices only 15 would
  add at any one time. Why? Does anyone know what the problem might be?
  I've modified the template many times to see if the template was the issue however every time it's
  limited to 15 devices.
  I've already uploaded the devices manually but for future users and myself I'm wondering if anyone knows
  the what the reason could be.
  Cheers,
  Paul

  There is no built in limit and have seen this working with many more than 15 devices;but cannot say what your issue was without seeing the file you used
  One thing you could try is doing an export and can then see file format/contents for all devices

• ACS Tacacs+ aaa authorization commands

  Hi,
  I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
  My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
  Many thanks
  Patrice

  Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
  Setting Up and Managing Shared Profile Components
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
  hth

• ACS shell command authorization help

  Hello,
  I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
  Thanks

  Two things could be wrong
  1) You don't have the following command on your AAA Client:
  aaa authorization config-commands
  2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards
  Farrukh