ACS 5.3 Group Mapping based on AD group membership

Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
Sami

Ok, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks.

Similar Messages

  • Group suppression based on other group results

    How do I suppress an upper level Group based on, no results in its sub group level.
    Example:
    GroupA Part Id (suppress when groupB has no results)
       GroupB  Operation  (This group uses a suppression formula itself)
    Sound simple I know but I can't figure it out.
    Shirley

    I need to suppress at GroupB  do to a conflict in the selection formula overriding other formulas.
    I was able to bring the suppressed field up to that level and suppress based on that.
    Tx
    Shirley
    Edited by: Shirley Cunningham on Mar 3, 2010 4:40 PM

  • How to hide screen group tab based on account group in XD01/02

    Hi Folks,
    I have added two screen group( custom tabs like 'general data' ) in XD01 screen. Based on the input parameter 'account group' I want to hide(supress) one of the tab. How can I read the account group no?
    Thanks and Regards,
    Kawish.

    Hi,
    Can you try to access the field like below. Just try to access the account group from main program in the method.
    field-symbols: <lf_KTOKD>  type KTOKD,
       data:               L_KTOKD type KTOKD.
    assign ('(SAPFM02D)KNA1-KTOKD') to <LF_KTOKD>.
    if sy-subrc = 0.
         l_ktokd = <LF_KTOKD>.
    endif.

  • Group Conditoin based on Customer Group

    Hi Experts,
    I have used a Group Condition feature of Pricing. (Group Condition tick mark in Transaction - V/06)
    Now actual use of this Group Condition is somewhat like mentioned below as per the F1 Help.
    "For a group condition to be effective, the items must belong to a group. You can freely define the group to meet the needs of your own organization. The items can, for example, all belong to the same material group."
    Now I want to know that what are the different groups which are considered for applying Group Condition concept.
    I want to apply this Group Condition concept for the line items with the same customer group. (material group can be different for them).
    Is it possible? If yes, how can I set / configure it? If not, is there any other alternative for that (like GrpCond.Routine)?
    Thanks in advance.
    Kind Regards,
    HP

    Hi Krishna,
    Thannks a lot for reply.
    Actually I am aware about VOFM and how to write Routines also. My problem here is that I dont know what Structure or Internal Table should I play with in the Routine.
    For Example if I write a routine for a normal pricing we use fields XKWERT, XKWART or Structure XKOMV with field KWERT, KWART etc.
    So in the same way what should I change or use or update to change the Group Condition Check base?
    Like as in F1 Help, it is mentioned...
    "For a group condition to be effective, the items must belong to a group. You can freely define the group to meet the needs of your own organization. The items can, for example, all belong to the same material group."
    Here if the material group (KONDM) is same, it the group condition will work. That means somewhere I need to replace KONDM by KDGRP in the Routine. Where do I find this and replace KONDM by KDGRP?
    Thanks in advance.
    Kind Regards,
    HP

  • How to control outer group data based on inner group data

    Hi ,
    Please can anyyone help me on this issue.
    I have one invoice header record and for that invoice there are 15invoice lines record.
    1)my requirement is i want to print the 10 invoice records in first page and remaining records,in next page.--this i had achieved*(byusing solution posted inthe forum)*
    i have the layout like this
    image:!C:\Documents and Settings\madhu.rn\Desktop\layout.jpg!
    main group data table
    i had inserted another table for inner group data.
    again main group data in main table.
    2)But here i don't want print header info again in second page.
    3)i am not getting the line numbers in inner group in ascending order ,i am getting in descending order. how to get them in decending order
    4) if lines record are going to second page i don't want to print subtotal,tax,total (these are main group data)in first page, instead of this
    in place of
    subtotal-- want to print Continued......
    Tax- null
    Total:page 1 of 2. like that i want to print in first page.
    i want them to print in second page.
    5)the bottom portion also not to print on second page.(after innergroup data,there is some main group data)
    i have one doubt by using inner group data whether we can control outer group data.
    if any of my requirement's are not possible to meet ,please provide me the information.
    This urgent for me,have to submit it.
    Edited by: user644268 on Feb 8, 2010 11:10 AM

    Hi,
    Please help me in this issue. Its an urgent requirement.
    Thanks in Advance..

  • Grouped output required based on input group :No one???????

    Hi to all,
    I want grouped output based on input group.
    e.g
    SQL> select * from test_data;
    FIELD
    a
    b
    c
    d
    e
    a
    e
    c
    d
    e
    10 rows selected.
    SQL>
    Now I want grouped output like this
    When I give input set (a,b) then output should be :
    a,b
    a
    c
    c
    d
    d
    e
    e
    e
    When I give input set (a,e) then output should be :
    a,e
    a,e
    b
    c
    c
    d
    d
    e
    I want a query regarding this , I know this is possible through Pl/SQL, but the requirement is through query.....
    rgds,
    Rup

    I want grouped output based on input group.
    I want a query regarding this
    with
    test_data as
    ( select substr(p, instr(p, ',', 1, level) + 1, instr(p, ',', 2, level) - instr(p, ',', 1, level) - 1) as field
        from (select ',' || 'a,b,c,d,e,a,e,c,d,e' || ',' as p from dual)
        connect by level <= length(p) - length(replace(p, ',')) - 1
    input_set as
    ( select distinct substr(p, instr(p, ',', 1, level) + 1, instr(p, ',', 2, level) - instr(p, ',', 1, level) - 1) as field
        from (select ',' || 'a,d,e' || ',' as p from dual)
        connect by level <= length(p) - length(replace(p, ',')) - 1
    group_count as
    ( select min(count(i.field)) as group_cnt
        from test_data t, input_set i
        where i.field(+) = t.field
        group by t.field
        having count(i.field) > 0
    test_data2 as
    ( select field,
          row_number() over (partition by field order by null) as group_no1,
          row_number() over (                   order by null) as group_no2
        from test_data
    input_set2 as
    ( select field, row_number() over (order by field) as item_no
        from input_set
    select max(fields) as fields
      from
      ( select
            replace(sys_connect_by_path(decode(level, 1, group_no2), '-'), '-') as group_no,
            ltrim(sys_connect_by_path(t.field, ','), ',') as fields,
            level as lvl
          from test_data2 t, input_set2 i, group_count
          where i.field(+) = t.field
          start with group_no1 > group_cnt or item_no = 1 or item_no is null
          connect by prior group_no1 <= group_cnt and group_no1 = prior group_no1 and item_no = prior item_no + 1
      group by group_no
      order by max(lvl) desc, fields
    FIELDS
    a,d,e
    a,d,e
    b
    c
    c
    e
    6 rows selected.

  • ACS Group mapping and restrictions

    hi,
    I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
    ACS Groups
    Netadmin - need telnet/ssh/vpn/wireless
    wireless - only wireless authentication
    vpn - only vpn authenticaiton
    I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
    Also please note that one user can be belongs to all three groups in ACS/AD.
    thanks in advance.

    In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
    In this scenario, it is very important to understand how ACS group mapping works.
    Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
    Select the AD group NetworkAdmin and map it to ciscosecure group 1
    select the AD group RouterAdmin and map it to ciscosecure group 2
    select the AD group Wireless and map it to ciscosecure group 3
    Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
    Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
    You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
    SCENARIO:
    Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
    NOTE:
    If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
    routers and switches.
    IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
    username is to go to usersetup find that user and delete it manually.
    ACS will not support the following configuration:
    *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
    *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
    However there if your mappings are in below order...
    NT Groups ACS groups
    A,B,C =============> Group 1
    A =============> Group 2
    B =============> Group 3
    C =============> Group 4.
    You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
    This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
    You can create a rule for users in group A (Group 2)
    You can create a rule for users in group B (Group 3)
    You can create a rule for users in group C (Group 4)
    Regards,
    ~JG
    Do rate helpful posts

  • Issue with group mapping in ACS.

    When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
    Please suggest way to only add the NT Group alone without the *.

    Actually '*' means something else.
    If you have a group on AD say 'Alfa'
    when you do a mapping on ACS, you'll see it like this,
    'Alfa', * ------- Group x
    Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
    It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
    As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
    Map them to .
    Then only those will be able to log in, for whom you have the mapping defined on ACS.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
    Check Step 8,
    "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
    Regards,
    Prem

  • ACS 3.3 Windows group mapping problem

    Hi,
    I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
    Thanks,
    Peter

    You need to set up proxy.
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
    Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
    There is a known bug, CSCsi04187
    PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
    Conditions:
    The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
    Workaround:
    If the supplicant has the option you can send the macine name in hos/ format.
    Many supplicants do not have this option.
    It is to be fixed for ACS 4.2 release.
    Regards,
    ~JG

  • User in a windows group - mapping to acs group appears not be working

    I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
    Any suggestion?

    Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
    1. External User Databases - Database Configuration - Windows Database - Configure
    Make sure your domain is listed on moved to the Domain List section
    2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
    Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
    3. External User Databses - Unknown User Policy
    Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
    Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
    Hope that helps!

  • ACS group mapping

    hello
    we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
    so we map AD groups to ACS groups and we specify access restriction in ACS groups.
    now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
    so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
    however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
    so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

    i can't see how NAP can resolve my issue.
    suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
    AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
    AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
    now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
    if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

  • Move group mapping ACS 3.3 or 4.0

    Hi,
    is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

    In ACS 3.3(11):
    External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
    This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

  • ACS Group to NT Group mapping

    Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
    Tom

    You won’t be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.

  • How to change the values in custom profiles based on security group ??

    Hi,
    i am facing problem for my requirement, can anybody help me for below scenario...
    i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
    what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
    In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
    hope understand my requirement.
    How to achieve this task. Any help would be greatly appreciated.
    Thanks,
    yt

    Hi,
    Thanks alot. its working fine
    Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
    Type -> subtype = DCL already existed
    Now, i want to Create DCL to
    Subtype ---> Security group
    As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
    Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
    i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
    Now what should i do ?? how to create DCL to subtype and security group ??
    Help would be appreciated.
    yt

  • Using geocode in a map based on a view where two datasets are joined

    Hi,
    I'd like to create a map based on a view in which two datasets are joined, where one of the datasets has a geocode column.
    Unfortunately this is not working... It seems that a custom view where two datasets are joined together where one of them has a geocode column makes the geocode column invisible for the map component.
    The following cases do work but we like to combine them so that we can combine different datasets in Studio without using the Integrator:
    - I can create a custom view in which we join two datasets > the view can be used as a source for different component but not the map component (it seems that the geocode column is not found)
    - I can create a custom view with a geocode column in it and that one can be used as a source for a map
    What I'd like to show is that it is possbile to have one datasets coming from a source system and that it is easy to combine an additional excel sheet with geo-information and maybe another excel sheet with different measures. This should be possible since you can join different datasets together in a custom view.
    Thanks in advance,
    Richard

    Oh sorry, we have two base views and one custom view:
    base view TRIS_Omzet which gets it data from an OBI server and has data like revenue, customer, time, etc.
    base view Endeca_Klanten which gets it data from an excel sheet, this view contains the name of the customer and the geocode of the customer's location
    We created one custom view (Omzet_Geo) where the two base queries are joined together using the following query:
    DEFINE V1 AS SELECT
    "Endeca_Klanten.Klanten" AS Klant,
    "Endeca_Klanten.Coordinaten" AS Coordinaten
    from Endeca_Klanten;
    DEFINE V2 AS SELECT
    "TRIS_Omzet.Naam_Consultant" AS Naam_consultant,
    "TRIS_Omzet.Jaar" AS Jaar,
    "TRIS_Omzet.Jaar_week" AS Jaar_week,
    "TRIS_Omzet.Actual" AS Actual,
    "TRIS_Omzet.Omzet" AS Omzet,
    "TRIS_Omzet.Partij" AS Partij,
    "TRIS_Omzet.Uren" AS Uren
    FROM TRIS_Omzet
    DEFINE Omzet_Geo AS SELECT
    V1.Klant AS Klant,
    V1.Coordinaten AS Coordinaten,
    V2.Naam_consultant AS Naam_consultant,
    V2.Jaar AS Jaar,
    V2.Jaar_week AS Jaar_week,
    sum(V2.Actual) AS Actual,
    sum(V2.Omzet) AS Omzet,
    V2.Partij AS Partij,
    sum(V2.Uren) AS Uren
    from V1
    right join V2
    on (V1.Klant=V2.Partij)
    group by Klant, Coordinaten, Naam_consultant,Jaar,Jaar_week,Partij
    Our view definition in the GUI looks like the following, as shown in the screenshots the datatype of the coordinated column is a Geo column both in the base view and the custom view. However the view still can't be selected to be used as a source for the map component.
    The two base views:
    The custom view:
    regards,
    Richard

Maybe you are looking for