View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0097 - ACS 5.4 Directory Attribute and User Custom Attribute

SEC0097 - ACS 5.4 Directory Attribute and User Custom Attribute

Rating: 
0
No votes yet
Difficulty Level: 
3
Lab Document: 
<Please login to see the content>
Category: 
Security
The video demonstrates User Custom Attribute and Active Directory Attribute features on Cisco ACS 5.4. We will leverage these two features to enforce per-user VPN access as well as static IP assignment. Please note that this lab is built on top of configuration on the previous lab video (SEC0096).
Topic:
  • Active Directory Attribute
  • Local Custom Attribute
  • Local User with External Password
  • Cisco AnyConnect Client SSL VPN
  • Policy Element
    • Authorization Profile
    • RADIUS Framed-IP-Address Attribute
  • Access Services
    • Authorization Policy
Tag: 
acs
radius
vpn
anyconnect

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

12 comments

Submitted by macfrist on Wed, 08/21/2013 - 07:54

Hi,
Please is there any possibility to insert Multiple AD ? and Multiple domain ?

Submitted by admin on Mon, 02/17/2014 - 00:40

Multiple AD integration is not possible at the current release. If you need to access multiple domains, you will need to use LDAP.

Submitted by macfrist on Sun, 09/29/2013 - 04:22

Dear all,

Can somebody tell me all attribute that can make users change thier password after expiration ? because they cannot. In the ACS log i can see that user have to change thier password.

Submitted by admin on Tue, 10/01/2013 - 00:04

Can you elaborate on the scenario? Are you talking about chaing password over VPN? 

Submitted by oldshield on Mon, 02/17/2014 - 00:02

acs 5.4 migration guide showed some screen shots for custom attributes I need to use for end users at remote sites.
group similar to fig 2.1 page 25
device type like figure 2.2
identity similar to fig 2.8
figure 2.9 is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.

I don't know enough about 5.4 yest to figure this out correctly.

Submitted by admin on Mon, 02/17/2014 - 00:37

Can you elaborate exactly what you are trying to accomplish?

Submitted by oldshield on Mon, 02/17/2014 - 08:22

figure 2.9 in the migration guide from cisco, is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.

I want to be able to have the same rights for personel at a site with the exception of being able to give them rights for instance to switches but not routers. Though some personel, will need access to all three device types.

NDG

location
-all locations
--hospital 1234
---routers
---switches
---wireless-controllers

----------------------------------------

device types

- all device types
-- routers
-- switches
-- wireless controllers

-------------------------

users and identity store

sequence: ad and local

-----------------------------------------

policy elements

-- device administration
--- shell profile --> level 15
---- command set allow all

-----------------------------------------
access policies
- access sevices
-- Service Selection Rules
--- rule 1 match radius --> default network access
--- rule 2 match tacacs --> default device admin

default device admin
-- authorization
--- rule 1 _ level 15 from AD
--- rule 2 level 15 from local

--> custom conditions:

Protocol
AD1:External groups
AD1:company
identity group
NDG: location
NDG: Device type
Time and date

custom results:

shell profile
command sets

So there is my layout also.

Submitted by admin on Mon, 02/17/2014 - 22:50

You can pretty much accompish those just by using Device Type, Location, Device Filter, and Identity Group/AD Group as part of your Authorization conditions without any Custom Attribute. For each site, you can come up with two Identity Groups, one that can only access switches and the other to access everything. I would recommend not to use Custom atribute unless there is no other easy way to acoomplish it.

Submitted by techuser123 on Thu, 08/07/2014 - 05:50

I need your help to configure OTP using RADIUS Identity Servers, but I can't find any documentation related to it, this will be SMS server

Submitted by admin on Thu, 08/07/2014 - 16:58

http://communities.labminutes.com/security/acs-5-4-otp-on-behalf-of-tech...

Submitted by Koussan on Tue, 09/30/2014 - 01:43

HI,
great video as usual , thanks .
Would you please give me a hint on the following requirement:
- VPN users accounts are on AD .
- We need to configure a field in the user properties on AD , i.e description , so that when the user connect , based on the value configured on that field , the user will get vpn access till certain date , for example , on user1 description field , we configure a value of "A" , ACS should allow access for that user for 3 months , while if it is B , the user will get access for 6 months , and so on ..

Any idea will be useful , and thanks once again for your great videos .

Submitted by admin on Tue, 09/30/2014 - 17:58

I am afraid that it may not be possible simply because ACS does not keep track on when the user first login or when it should start counting down the 30/60 days. Even if you try to hardcode the end date in the description, there is no absolute date/time comparison on the ACS neither. I would think a more feasible approach is to disable the AD account, or set an attribute value at certain date, if possible,  so ISE can perform a simple check based on liveliness of the account or some value