ACS Group to NT Group mapping

Similar Messages

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• Flex Connect Groups - WLAN to VLAN mapping

  I have a question about configuring WLAN to VLAN mapping on FlexConnect Groups.
  Do the mappings that are configured in the FC Group get inherited by the APs when they are placed in the group?
  It seems like they do not.
  I am playing around in a lab with a virtual WLC running 7.5 and an old 1131 AP.
  If I configure the WLAN to VLAN mapping on the individual AP, it works as expected.
  If I configure the WLAN to VLAN mapping within the FC group and add the AP to the group, it does not.
  The AP does not inherit the settings from the Group.
  I am wondering how you would deploy a lot of APs without having to configure each AP individually.
  Thanks

  Yes, you are correct. It is not like normal AP groups where it will map WLAN to AP belong to that AP group.
  Anyway since you have to convert each AP manually to FlexConnect mode, you should do the WLAN mapping at that point as additional step.
  FlexConnect Group is mainly to give fast roaming feature for FC APs in brach deployment solution (typically not so many APs). Also keep in mind you can have maximum  25 APs in FlexConnect AP group for WiSM2 or 5508 & you can go upto 100 in 7500 WLC. (see table 7.3 in below link)
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1108090
  HTH
  Rasika
  **** Pls rate all useful responses *****

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald

• Customer group and price group mapping

  Hi All ,
  I want to know where do we set the mapping for the customer group versus price group in the system .
  Is there any customizing t-code for this?
  Please advice.
  Thanks in advance,
  Swati

  Dear Swathi,
  There is no T-Code for Setting Customer Group and Pricing gorup in Customizing
  But we assign generally this two in front end due to requirements,
  like we consider in this two in Pricing condition creation in VK11, here suppose we maintain Key Combination in Customer Group and Pricing Group then we consider
  Hope this may helps you
  Prem.

• SSL Multiple Tunnel Groups with Multiple group policies

  Hello folks.
  Have a query and cant seem to find an answer on the web.
  I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
  The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
  It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......

  Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
  You will get the functionality you are looking for.
  HTH
  PS. If this post was helpful, please rate it.

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• Primary Group and Additional Group in Solaris 10

  hi!
  We've just freshly installed a Solaris 10 system. I'm very new in Solaris. There's something i noticed, and i'm not sure whether is that normal.
  In the user screen in solaris management console, i notice that i'm not able to see the Primary group and additonal group list. What i can see is only the Primary group in ID format. I'm able to see it only the first time when i launch the Solaris management console or switch from one workplace to another. After right clicking on the user properties for the second time, it disappear and show only the primary group id in integer. On the left hand side of the screen, it says "The group cannot be listed. You can change the primary group 10 to another valid integer. Because of error or oversight, group membership cannot be found. You can enter a number for the primary group, but cannot choose from a list of groupnames. Also you cannot choose Seconday Group until the group info is available". "Check group files, NIS maps, or load for possible corruption. If you have not already populated appropiate files or maps, See administrator guide, Naming and Directory Services(DNS, NIS, LDAP) or docs.sun.com for LDAP see also Solaris Management console help, about the toolbox editor to manage LDAP"
  Is that normal? What could be wrong here? Please advise. Thanks.

  hi! Anyone can provide advise on the issue i encountered?

• Active Directory Groups - Domain Users Group

  Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?

  Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
  So if my watch is looking at FTP Directory Path of: lifelink
  The fa.log shows: .../lifelink/lifelink/
  the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
  thanks,
  Dave

• Very Urgent Extn.Material Group and Material Group.

  Hi Guru's,
        I was created Generic D.S Using table (AFRU) for Orders Confirmation.I was Created Info Source AND ODS.
       I nedd to maitain ODS Extn.Material Group and Material Group.but These fields are not Avilable in Data Source (AFRU Table not having).
      Data source having Field AUFNR (order number) I was mapped To BW Object 0prodorder. I was maitained master data for 0prodorder.
    0prodorder master data (0prodorder_attr) having 0material (PLNBEZ Field mapeed to 0material) as a navigational Attribute.
  i am asking to all is it possible to bring Extn.Material Group and Material Group update rule level using master data attribute option?
  Please help to me Above issue.it's very urgent.
  Thanks & Regards,
  Guna.

  Hi Manju & Gopi,
      This Order Confirmations cube having data from 2 data sources.
      There is a performence issue to clubbing so many tables.
       Any way i was maitained 0material is attribute(Nav Attr) of 0proorder.i was loaded 0prodoreder master data.
     0material having master data .Extn mat group & Material group are Nav Attributes of 0material.
    Now is it possible to maitaining the data in cube Extn mat group & Material group ?
  Please Give me Suggestion with out adding another table using view.
  Thanks & Regards,
  Guna.

• How to display the last value of a field in a group in the group header

  I need to display the last quiz score from a group of quiz scores as part of the header of a group of units (the quiz score values are in the detail record).  I can not use the group footer, which would be the natural place to find the last value.  It must be in the group header because there will be a subsequent group within the unit group.  In other words, the grouping is as follows:
  Unit Group Header (Display last quiz score in unit)
  SubUnit Group Header (Display other detail summaries)
  Detail Record (including quiz score)
  SubUnit Group Footer
  Unit Group Footer
  While there is a minimum/maximum summary function, there is not a first/last function.
  Fuskie
  Who is constantly amazed at the ability of users to request report features that are not easily implented through Crystal Reports...

  Hi Fuskie,
  One suggestion to display the last quiz score in the Group Header, other than what had already been suggested, will be to use a linked subreport in the Group Header. It is not an efficient way to display the information, but it could do the trick.
  Another suggestion will be to insert a subreport in the report header, then store the last quiz score in an array for each group, then share it with the main report and display the  values in the appropriate group. In this way it will only connect twice to the data source, one for the main report and once for the subreport, instead of multiple connection for each group.
  Finally, the most efficient way will be to have this value calculated on the database side using a command object or a stored procedure.
  Patrick

• In contacts app how can I move a contact from one group to another group?

  I find I cannot move a contact from one group to another group. If I delete a contact from one group I delete that contact from my total contact population. I did not have this problem in earlier IOS versions. Can anyone help me?

  Thanks SO much, Barney.  How embarrassing, I could have sworn that I tried that first.
  I will definitely get them all moved over before I delete that account and I've already gone in & changed my preferences.  Several years ago, my husband I decided to share one calendar and one contacts list, using his mobile me account and it's been great for us.  I'm particularly thrilled to no longer serve as a human rolodex and I guess that I paniced a bit when I thought there might be a problem with our system.  I'm still confused where that "On my mac" account came from on the first place.  Do you suppose that was an automatic thing that came with the Mountain Lion upgrade?
  thanks again!

• How do I move a contact or contacts from one group to another group?

  How do I move contacts from one group to another group on my iPhone?

  Hi ,
  In exchange you cannot have the same email address for multiple recipients .
  First and Best way is  to remove the email address from the old user account and add the same smtp address to the new user who is going to take his place.
  Second option would be forwarding all the emails from old user account to new user account when an email was triggered to the email address ([email protected]) .on this case there is no need to remove or delete the email address from the old user account
  and also email address ([email protected]) will still reside on the old user account .
  If i am at your place i will choose the first option and i agree with DJ
  Grijalva
  Please reply me if you have any queries .
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• How can I view or sort or group my CONTACT GROUPS together in Outlook 2010?

  How can I view (in my contacts list or address book) or sort/group my CONTACT GROUPS together in Outlook 2010, separately from the individual contacts?

  In the Contact folder, use a custom view that shows only Contact groups.  Create the filter on the filter dialog's Advanced tab -
  Message Class contains IPM.DistList
  Screenshot: http://screencast.com/t/s465l5w16q
  Diane Poremsky [MVP - Outlook]
  Outlook & Exchange Solutions Center
  Outlook Tips
  Subscribe to Exchange Messaging Outlook weekly newsletter

• FindChangeByList script to include Style Groups/sub Style Groups

  I've been using this function happily (with varying degrees of success & lots of trial and error) for a while now. I'm not a script writer, understand very little but manage to copy and paste, and hope for the best.
  This has served my wishes for the most part, but I have the need to apply a GREP search/replace to some text that needs to be styled with a paragraph style that lives inside a style group, inside another style group.
  Style group called 'Headings', inside which is a style group called 'News from Areas heads' inside which is a paragraph style called 'b head_red (News from areas)'
  I have picked up on helpful examples from others for applying a paragraph style that lives within one level of "Style Group", but don't know what the correct syntax to describe: a paragraph style within a folder, within a folder, within another folder might be?
  I did wonder if the choice of underscores and brackets in the paragraph style may not help.
  MTIA
  Steve

  Hi Jarek
  Unfortunately I don't have much scripting knowledge, but to answer your questions
  1. paraStyle real name is "b head_red (News from areas)"
      - "b head_red" is used elsewhere. Why didn't I keep it simple?
  2. Do your findWhat string work in UI (run manually)?
      - yes, when I use normal GREP find/change it works okay.
  3. Do your FindChangeByList.jsx work with some simplier example?
      - yes, I use it often. The .txt file I'm working on at the moment already contains about 10 text/glyph changes which work fine. I have had success in applying a 'paragraph style' that is within a 'style group'. But this is the first time I've tried to apply a 'paragraph style' that is in a 'style group', within a 'style group'.
  Steve

• Creation of new employee groups and sub groups

  Hi All,
  What all the steps should I follow to create new employee groups and sub groups? and  How many structures should I create for this?
  Its urgent pls.......
  Good replies will be rewarded!!!!
  Regards,
  Sita

  Hi
  You can create the employee groups depending up on your clients requirement, Eg: Permanent, Temporary, Seasonal, Trainee, Advisor etc
  And define the employee subgroups and assign them to the employee groups Like
  Enterprise structure>Definition>Human Resource Management-->Employee Groups & Employee Groups
  Enterprise structure>Assignment>Human Resource Management-->Assign employee subgroup to employee group
  you can create employee subgroups depending up on your requirement like asst manager, manager, GM, MD, VP ETC an assign them to the employee subgroups ok.
  Ensure that certain empployee subgroups may not be assigned to employee group based on requiremen, but create all the employee sub groups which is existing in the organization.
  Regards