View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0097 - ACS 5.4 Directory Attribute and User Custom Attribute

No votes yet
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video demonstrates User Custom Attribute and Active Directory Attribute features on Cisco ACS 5.4. We will leverage these two features to enforce per-user VPN access as well as static IP assignment. Please note that this lab is built on top of configuration on the previous lab video (SEC0096).
  • Active Directory Attribute
  • Local Custom Attribute
  • Local User with External Password
  • Cisco AnyConnect Client SSL VPN
  • Policy Element
    • Authorization Profile
    • RADIUS Framed-IP-Address Attribute
  • Access Services
    • Authorization Policy

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Please is there any possibility to insert Multiple AD ? and Multiple domain ?

Multiple AD integration is not possible at the current release. If you need to access multiple domains, you will need to use LDAP.

Dear all,

Can somebody tell me all attribute that can make users change thier password after expiration ? because they cannot. In the ACS log i can see that user have to change thier password.

Can you elaborate on the scenario? Are you talking about chaing password over VPN? 

acs 5.4 migration guide showed some screen shots for custom attributes I need to use for end users at remote sites.
group similar to fig 2.1 page 25
device type like figure 2.2
identity similar to fig 2.8
figure 2.9 is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.

I don't know enough about 5.4 yest to figure this out correctly.

Can you elaborate exactly what you are trying to accomplish?

figure 2.9 in the migration guide from cisco, is what I am interested in is adding location, router, switch , wireless-controller. either yes or no and how to associate those attributes with the actual switch router and wireless-controller device groups under each site.

I want to be able to have the same rights for personel at a site with the exception of being able to give them rights for instance to switches but not routers. Though some personel, will need access to all three device types.


-all locations
--hospital 1234


device types

- all device types
-- routers
-- switches
-- wireless controllers


users and identity store

sequence: ad and local


policy elements

-- device administration
--- shell profile --> level 15
---- command set allow all

access policies
- access sevices
-- Service Selection Rules
--- rule 1 match radius --> default network access
--- rule 2 match tacacs --> default device admin

default device admin
-- authorization
--- rule 1 _ level 15 from AD
--- rule 2 level 15 from local

--> custom conditions:

AD1:External groups
identity group
NDG: location
NDG: Device type
Time and date

custom results:

shell profile
command sets

So there is my layout also.

You can pretty much accompish those just by using Device Type, Location, Device Filter, and Identity Group/AD Group as part of your Authorization conditions without any Custom Attribute. For each site, you can come up with two Identity Groups, one that can only access switches and the other to access everything. I would recommend not to use Custom atribute unless there is no other easy way to acoomplish it.

I need your help to configure OTP using RADIUS Identity Servers, but I can't find any documentation related to it, this will be SMS server

great video as usual , thanks .
Would you please give me a hint on the following requirement:
- VPN users accounts are on AD .
- We need to configure a field in the user properties on AD , i.e description , so that when the user connect , based on the value configured on that field , the user will get vpn access till certain date , for example , on user1 description field , we configure a value of "A" , ACS should allow access for that user for 3 months , while if it is B , the user will get access for 6 months , and so on ..

Any idea will be useful , and thanks once again for your great videos .

I am afraid that it may not be possible simply because ACS does not keep track on when the user first login or when it should start counting down the 30/60 days. Even if you try to hardcode the end date in the description, there is no absolute date/time comparison on the ACS neither. I would think a more feasible approach is to disable the AD account, or set an attribute value at certain date, if possible,  so ISE can perform a simple check based on liveliness of the account or some value

Lab Minutes Classifieds