ACS group mapping

Similar Messages

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• Move group mapping ACS 3.3 or 4.0

  Hi,
  is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

  In ACS 3.3(11):
  External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
  This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

• ACS Group to NT Group mapping

  Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
  Tom

  You won’t be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Cisco ACS Policy Mapping

  Hallo,
  I have a question about the policy mapping in ACS 5.4.
  When a request matches in "Access Selection Rule" the request goes to an "Access Service".
  In "Access Service" there are three kinds of policy rules:
  - Identity:
  If condition match then result "Identity Source"
  - Group Mapping
  If condition match then result "Identity Group"
  - Authorization
  If condition match the result "Auth Profil"
  Q1:
  For example:
  The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
  Q2:
  What does it mean: "Group mapping"?
  Thx for your answer!
  Stefan

  Hi Stefan,
  The User "Test" is registered in Internal User with a local password.  But now I will authenticate the user "Test" from a RSA Token server.  How can I configure this rule in "identity policy"? Wich condition  matches to choose the identity source. I will set the internal user with  an attribute enumeration field like "Password". The administrator  should have an option to choose "locale databse password" or "token  passcode".
  In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
  Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
  (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
  Group mapping is a feature to assign a local identity group as a result by choose conditions.
  EG:
  If (Active directory x) Then (Internal group x)
  The IF is the condition and Then is Result.
  https://supportforums.cisco.com/docs/DOC-34890
  Hope this Helps.
  Ed

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.

• AD group mapping failure

  I'm using an ACS version Release 3.2(3) Build 11 and i have proxy distribution table active without stripping domain names (user@domain). Whenever ACS consults AD as external database, user is authenticated but group mappings don't work!! users are authenticated and are inserted into Default usergroup.
  Is there some way to avoid this behavior and somehow configure AD to pass the Group name and, therefore allow the correct authentication within the correct group mapping.
  Nuno

  Hello,
  finally I have good news, The W2k3(R2) caused this issue. I installed the RA on a member server running W2k3 standard edition and magically RA start working and authintication had ben done successfully.
  Note:
  This recommendation not from the TAC enginner, from a gentleman experienced the same issue before.
  Many thx

• ACS Group Configuration Help Request

  We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.
  The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?
  Confusing I know.

  Hello,
  you can solve your problem with the feature Network Access Profile. With this feature you can assign one user to different groups.
  You must create two Network Access Profiles (profile_remote_access, profile_tacacs_admin)-
  with different protocol types (radius for remote access, tacacs for administration).
  Look at
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a00805e879e.html
  regards
  alex

• AD - ACS Group Mappings

  I have created a group on ACS and used:
  Ext User Database > Ext Grp Mappings to create mapping b/w ACS Group and AD Group. This works fine on Primary. However this information is not replicated to secondary. Would I have to recreate group mappings on each ACS Server (Primary and Backup and possibly another Backup). Is there a workaround or a more elegant method?

  Hi,
  The following items cannot be replicated:
  IP pool definitions (for more information, see About IP Pools Server).
  ACS certificate and private key files.
  Unknown user group mapping configuration.
  Dynamically-mapped users.
  Settings on the ACS Service Management page in the System Configuration section.
  RDBMS Synchronization settings.
  Third-party software, such as Novell Requestor or RSA ACE client software.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sad.htm#wp756078
  Hope that helps !
  Jagdeep