Well, I finally figured this out. Attached is the csv file (rename it to csv) you need to import into Cisco ACS to create a custom vendor (I named it "Juniper-Netscreen" because 'Juniper' is a predefined vendor and I couldn't figure out how to edit that one.
Steps:
1) Import attached file using the "System Configuration -> RDBMS Synchronization" feature.
- for the SE appliance, just import using the ftp function it gives you
- for the Windows software, you have to create an ODBC resource [administrative tools -> Data Sources (ODBC) -> System DSN tab -> add Microsoft text driver (*.txt, *.csv)] from the windows desktop. Name the file "accountActions.csv" and place it in the directory: "C:\Program Files\CiscoSecure ACS v4.1\CSDBSync\Databases\CSV". Then 'synchronize' inside the ACS GUI.
- Check the RDBMS logs for any errors. If successful, it will auto-push the changes during the ACS DB replication action, so you only have to do this to the ACS Master.
2) Set a network device to use "RADIUS (Juniper-Netscreen)" for authentication.
3) Turn on the options to show under user and group. Interface Configuration -> RADIUS (Juniper-Netscreen) -> check boxes as necessary.
4) set user's or group's domain and role as required.
below is some testing I did with various users and subdomains. I'm not going to reformat it, so take it as you will.
---------------------------------
===================
Must import accountactions.csv into RDBMS configuration and replicate DB.
Must configure at least a single device to use "RADIUS (Juniper-Netscreen)" in order to enable/edit the VSA's for users
NSM ACS info:
login user global: username
login user sub-domain: domain/username
For sub-domains, each domain requires separate RADIUS server configuration
Generic building of domain and role:
domain defines where user 'exists'; if sub-domain, user must login as defined above
- user in subdomain does nothing to restrict access
domain global: global
domain sub: global.<sub-domain>
role defines 2 things:
1 - before the colon: what user has access to (useful if giving user multiple roles with access to different sub-domains)
2 - after the colon: location of the defined role
(1) - this is the key to what the user can view
global access: global:
sub-domain access: global.<sub-domain>:
(2) - pre-defined roles ONLY exist in global
role global predefine: :<predefined role>
role global custom: :global.<custom role>
role sub custom: :global.<sub-domain>.<custom role>
The only reason to define custom roles in a sub-domain would be for easier management of many sub-domains, or if a global role of the same name requires different permissions than a sub-domain role (ie. 2 roles of same name with different permissions based on domain)
---------------------------------------------------------------------
[01]<tested>
global user, global access, pre-defined global role:
domain: global
role: global:<predefined role>
[02]<tested>
global user, global access, custom global role:
domain: global
role: global:global.<custom role>
[03]<tested>
global user, global access, custom sub-domain role:
*** INVALID permission set ***
domain: global
role: global:global.sub-domain.<custom role>
******************************
[04]<tested>
global user, sub-domain access, pre-defined global role:
domain: global
role: global.<sub-domain>:<predefined role>
[05]<tested>
global user, sub-domain access, custom global role:
domain: global
role: global.<sub-domain>:global.<custom role>
[06]<tested>
global user, sub-domain access, custom sub-domain role:
domain: global
role: global.<sub-domain>:global.<sub-domain>.<custom role>
[07]<tested> (can still view everything; no different than global user w/same access)
sub-domain user, global access, pre-defined global role:
domain: global.sub-domain
role: global:<predefined role name>
[08]<tested>
sub-domain user, global access, custom global role:
domain: global.sub-domain
role: global:global.<custom role>
[09]<tested>
sub-domain user, global access, custom sub-domain role:
*** INVALID permission set ***
domain: global.sub-domain
role: global:global.sub-domain.<custom role>
******************************
[10]<tested>
sub-domain user, sub-domain access, pre-defined global role:
domain: global.sub-domain
role: global.sub-domain:<predefined role>
[11]<tested>
sub-domain user, sub-domain access, custom global role:
domain: global.sub-domain
role: global.sub-domain:global.<custom role>
[12]<tested>
sub-domain user, sub-domain access, custom sub-domain role:
domain: global.sub-domain
role: global.sub-domain:global.sub-domain.<custom role>
Combo's are possible and work: just set 1 role per 'line' in the text box for the role
acs user r/w to sub 1, ro to sub 2:
user settings overrides group, but this is possible. Specific subdomain priveleges override global privs.
requires multiple roles defined in ACS
acs group r/w, acs user ro:
user setting always overrides group
acs group ro, acs user r/w:
user setting always overrides group
==============
------------------------
hopefully someone else finds this info useful