You are here
SEC0097 - ACS 5.4 Directory Attribute and User Custom Attribute
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrates User Custom Attribute and Active Directory Attribute features on Cisco ACS 5.4. We will leverage these two features to enforce per-user VPN access as well as static IP assignment. Please note that this lab is built on top of configuration on the previous lab video (SEC0096).
Topic:
- Active Directory Attribute
- Local Custom Attribute
- Local User with External Password
- Cisco AnyConnect Client SSL VPN
-
Policy Element
- Authorization Profile
- RADIUS Framed-IP-Address Attribute
-
Access Services
- Authorization Policy
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
12 comments
MUltiple AD
Hi,
Please is there any possibility to insert Multiple AD ? and Multiple domain ?
MUltiple AD
Multiple AD integration is not possible at the current release. If you need to access multiple domains, you will need to use LDAP.
Attribute for AD users
Dear all,
Can somebody tell me all attribute that can make users change thier password after expiration ? because they cannot. In the ACS log i can see that user have to change thier password.
Attribute for AD users
Can you elaborate on the scenario? Are you talking about chaing password over VPN?
help identity group custom settings
acs 5.4 migration guide showed some screen shots for custom attributes I need to use for end users at remote sites.
group similar to fig 2.1 page 25
device type like figure 2.2
identity similar to fig 2.8
figure 2.9 is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.
I don't know enough about 5.4 yest to figure this out correctly.
help identity group custom settings
Can you elaborate exactly what you are trying to accomplish?
custom attributes
figure 2.9 in the migration guide from cisco, is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.
I want to be able to have the same rights for personel at a site with the exception of being able to give them rights for instance to switches but not routers. Though some personel, will need access to all three device types.
NDG
location
-all locations
--hospital 1234
---routers
---switches
---wireless-controllers
----------------------------------------
device types
- all device types
-- routers
-- switches
-- wireless controllers
-------------------------
users and identity store
sequence: ad and local
-----------------------------------------
policy elements
-- device administration
--- shell profile --> level 15
---- command set allow all
-----------------------------------------
access policies
- access sevices
-- Service Selection Rules
--- rule 1 match radius --> default network access
--- rule 2 match tacacs --> default device admin
default device admin
-- authorization
--- rule 1 _ level 15 from AD
--- rule 2 level 15 from local
--> custom conditions:
Protocol
AD1:External groups
AD1:company
identity group
NDG: location
NDG: Device type
Time and date
custom results:
shell profile
command sets
So there is my layout also.
custom attributes
You can pretty much accompish those just by using Device Type, Location, Device Filter, and Identity Group/AD Group as part of your Authorization conditions without any Custom Attribute. For each site, you can come up with two Identity Groups, one that can only access switches and the other to access everything. I would recommend not to use Custom atribute unless there is no other easy way to acoomplish it.
ACS 5.4 OTP
I need your help to configure OTP using RADIUS Identity Servers, but I can't find any documentation related to it, this will be SMS server
Topic reposted on Lab Minutes Forum
http://communities.labminutes.com/security/acs-5-4-otp-on-behalf-of-tech...
time & Date Restriction using AD attribute
HI,
great video as usual , thanks .
Would you please give me a hint on the following requirement:
- VPN users accounts are on AD .
- We need to configure a field in the user properties on AD , i.e description , so that when the user connect , based on the value configured on that field , the user will get vpn access till certain date , for example , on user1 description field , we configure a value of "A" , ACS should allow access for that user for 3 months , while if it is B , the user will get access for 6 months , and so on ..
Any idea will be useful , and thanks once again for your great videos .
time & Date Restriction using AD attribute
I am afraid that it may not be possible simply because ACS does not keep track on when the user first login or when it should start counting down the 30/60 days. Even if you try to hardcode the end date in the description, there is no absolute date/time comparison on the ACS neither. I would think a more feasible approach is to disable the AD account, or set an attribute value at certain date, if possible, so ISE can perform a simple check based on liveliness of the account or some value