ACS USER IN MULTIPLE GROUP
Dear all
I have an ACS running 4.2 ver.We have integrated this with AD as well.
We had created some groups in acs for vpn and its is dynamically mapped with respective department.Its working fine know.
We have designed wireless implementation here with dynamic vlan assignment.
This is not working beacause user is already a member of one group in acs.I know that i can edit that group and do the wireless parameter settings.
But i would like to know wheather the user can be a member of multiple group or user will be associated with first group.
If we have an option for the user to be in a multliple group how can we do this.
If any one has faced this issue pls reply me at the earliest.
regards
-Danish
Its a bit long winded, but by using multiple Network Access Policies (NAP) in ACS 4.2 you can create specific windows group mappings per NAP.
The NAP is selected dynmically by NAS IP, or NDG or any content within the incoming RADIUS packet. So usually its possible to match on something. NAPs may also have chunks of re-usable RADIUS attributes (Shared Radius Authorisation Components) which can be used instead of setting RADIUS attributes at group level - can reduce the management overhead.
Its not a perfect solution, but should get to where you need to be without having to upgrade.
Facing an ACS audit? Find out how aaa-reports! can help at www.extraxi.com
Similar Messages
-
How can point single user to multiple groups in ACS
Hi,
we are having almost 150 NDG groups in my ACS Server, in that one group is specifically for Security devices like pix & ASA's.
Now My requirement is that i want to Restrict this Security NDG group to one Specific Group under Group setup menu in ACS.
is it possible in ACS Server.
If it possible how can i point multiple multiple groups to single user.
Because not all users required access to this Security NDG group. only few users require the access.Give a read to how NAR works, then apply it to the security group on ACS.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Regards,
Prem
Please rate if it helps! -
User in multiple groups gets multiple copies of one mail
I have a user who is the manager in a department with multiple groups in it. There is an email group in eudora set up for each administrative group (logical), and the manager's user is in each of those groups (also logical). Frequently it will be logical to send an email to 2, 3 or 4 of those groups, and then (just as you would expect) she gets 2, 3, 4 copies of the email in her inbox. Which falls into the "just what we asked for but not what we want" category...
Does anyone know how to get mac mail or eudora to do "de-duplicating" ? Or are we just stuck with this?Hi..
Ok, so forget group mapping from AD. What you have here are two seperate network services that require individual provisioning... what I call "Service Differentiated Provisioning"
This is where Shared RADIUS Authorisation Profiles come in (I know because I deisgned them :)
Create a NAF for each device - simplest by using their IP addresses.
Next create two shared RACs - one for each service (mobile & home). Inside use RADIUS attributes to assign the ip pool depending on your RADIUS vendor (Cisco?)
eg cisco-av-pair = ip:addr-pool=poolA
Next create the two NAPs - one for mobile access and the other for home access by selecting the appropriate NAF to activate on. Select the authentication types (MSCHAP) and databased (Windows)
Next, edit the Authorisation part of each NAP. Uncheck the tick boxes "Include attributes from user & group records" - this will merge attributes from group, RAC and user... gets MESSY. Anyway you should see a default rule displayed "If a condition is not defined...." - in the Shared RAC dropdown select the RAC that is appropriate for the NAP (ie mobile or home). Then submit.
At this point to avoid clashes... remove any ip allocation settings in the ACS groups A & B.
You should now be able to authenticate users on each network service. They will still map to an ACS group (as before). However the ip pool allocation will now come from the relavent RAC instead of a group.
It may look complicated (um, guess it is) and the NAP pages are not very friendly, but if you work through these steps it should work a treat.
If you run CSRadius -z -p from the command line you'll see all the extra helpful debug I put in :)
Now all you need to do is download the trial of extraxi aaa-reports! (www.extraxi.com) so that you can generate reports to audit the fruits of your labours!
Good luck
Darran -
How to list users under multiple groups and users sub groups
Hi, I am stump, which is not hard to do. i have a list of groups and i want to list the users in those groups and then in the next column lists all the citrix only groups for each user. hopefully im describing that correctly. Heres what i have but it is
not listing the users groups. I am not sure how to proceed.
$CurrentDate = Get-Date
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
$Groupname = "Distribution Lists"
$excel = New-Object -comobject Excel.Application
$excel.visible = $True
$wbook = $excel.Workbooks.Add()
$wsheet = $wbook.Worksheets.Item(1)
$wsheet.Cells.Item(1,1) = "Groupname"
$wsheet.Cells.Item(1,2) = "Member"
$wsheet.Cells.Item(1,3) = "ACID"
$wsheet.Cells.Item(1,4) = "Department"
$range = $wsheet.UsedRange
$range.Interior.ColorIndex = 19
$range.Font.ColorIndex = 11
$range.Font.Bold = $True
$intRow = 2
$groups = get-adgroup -Filter * -properties * -Searchbase "OU=Citrix,OU=Permission,OU=Groups,OU=Home Office,OU=domain,DC=Domain,DC=com"
$targetFile = "c:\temp\$groupname $CurrentDate.csv"
Add-Content $targetFile "Group;Member;ACID;Department"
foreach ($group in $groups){
$groupMembers = get-adgroupmember $group -Recursive | Get-ADUser -Properties Department, DistinguishedName| Where-Object { $_.Enabled -eq 'True' } | Select-Object Name, samaccountname, department, distinguishedname, @{n='MemberOf';e={$_.MemberOf -replace '^cn=([^,]+).+$','$1' -join '; '}
foreach ($groupMember in $groupMembers){
$groupName = $group.Name
$memberName = $groupMember.Name
$acid = $groupMember.samaccountname
$groups = $usergroups
#$department = $groupMember.department
$department = $groupMember.memberof
#$DistinguishedName = $gropmember.distinguishedname
$line = "($groupName)--------($memberName)-----($acid)-------($department)------($usergroups)"
add-content $targetFile $line
$wsheet.Cells.Item($intRow,1) = $groupName
$wsheet.Cells.Item($intRow,2) = $memberName
$wsheet.Cells.Item($intRow,3) = $acid
$wsheet.Cells.Item($intRow,4) = $groups
$wsheet.Cells.Item($intRow,5) = $DistinguishedName
$intRow++
$WorkBook.EntureColumn.AutoFit()
$excel.SaveAs("DL" + "name.xlsx")
$excel.Close()Hi Glacket,
Below codes should give you headsup.
This command will give you estimate the result count for each group:
PS C:\Users\Administrator> Get-ADGroup -Filter {Name -like "TestGroup*"} | Select Name, @{Expression={get-adgroupmember $_ -recursive | Measure | Select -ExpandProperty Count};Label="Count"}
Name Count
TestGroup1 7
TestGroup2 8
Note that as said earlier we are getting duplicated results(12,13,14) for users belonging to multiple groups. Result is in order as per earlier code's count and order.
Get-ADGroup -Filter {Name -like "TestGroup*"} | get-adgroupmember -recursive | Select Name,@{Expression={Get-ADPrincipalGroupMembership $_ | Select -ExpandProperty Name};Label="GroupMemberOfName"}
Name GroupMemberOfName
User100 {Domain Users, TestGroup1}
User14 {Domain Users, TestGroup1, TestGroup2}
User13 {Domain Users, TestGroup1, TestGroup2}
User12 {Domain Users, TestGroup1, TestGroup2}
User11 {Domain Users, TestGroup1}
User10 {Domain Users, TestGroup1}
User1 {Domain Users, TestGroup1}
User19 {Domain Users, TestGroup2}
User18 {Domain Users, TestGroup2}
User17 {Domain Users, TestGroup2}
User16 {Domain Users, TestGroup2}
User15 {Domain Users, TestGroup2}
User14 {Domain Users, TestGroup1, TestGroup2}
User13 {Domain Users, TestGroup1, TestGroup2}
User12 {Domain Users, TestGroup1, TestGroup2}
Use below to export to CSV:
Get-ADGroup -Filter {Name -like "TestGroup*"} | get-adgroupmember -recursive | Select Name,@{Expression={Get-ADPrincipalGroupMembership $_ | Select -ExpandProperty Name};Label="GroupMemberOfName"} | Export-Csv C:\ListGroups.csv
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you. -
Remove user from multiple groups
Hello everyone, first time posting here with a question and I apologize if I'm asking in the wrong location.
To give an idea of what I'm attempting to do, I've recently been developing a vbscript that will take a nightly csv export from my student information system and either create or deactivate student accounts based upon their enrollment status. I have
this function working great now, another function I've been developing is to have accounts moved between OU's based upon the school building code assigned to students which I have working as well. The problem I'm running into right now is having students
removed from existing active directory groups when they move between OU's. Essentially what I would like to do is have the script load the users group membership into an array and then remove any groups that end with STUDENTS, below is the code I have
been working on to accomplish this but have literally hit a brick wall. If it helps all my student groups for each location runs in this fashion.
ABCD_STUDENTS
ABCE_STUDENTS
Any suggestions would be greatly appreciated.
' Student changing OU then we need to update their account to reflect appropriate group memberships.
Set UserObj = GetObject("WinNT://server.domain.net/" & ADusrname) 'This must be hardcoded to domain controller
strUserDN = DN
strUserCN = objuser.cn
'Add user to the school group if not correct
Set objGroup = GetObject(varSchoolGroup)
strUserDN = DN ' Bind to the user object.
strGroupDN = varSchoolGroup ' Specify group Distinguished Name and check for membership.
Set objADObject = GetObject("LDAP://"& strUserDN)
objmemberOf = objadobject.GetEx("memberOf")
If Not (funIsMember (GetObject("LDAP://" & strUserDN),varSchoolGroup)) Then
objmemberOf = objadobject.GetEx("memberOf")
For Each objGroup in objmemberOf
Set objGroupDelete = GetObject ("LDAP://" & objGroup)
If Mid(objgroup,7,8) = "STUDENTS" Then
msgbox "test remove"
objGroupDelete.PutEx ADS_PROPERTY_DELETE,"member",Array(strUserDN)
objGroupDelete.setinfo
subUpdateLogFile studentcounter & " - Removed from student group " & objgroup,student_guid,student_username,student_fullname,"removed group"
End If
Next
'Add user to school group
Set objGroup = GetObject(varSchoolGroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(struserdn)
objGroup.SetInfo
subUpdateLogFile studentcounter & " - Updated school group to " & student_schoolgroup_ldap,student_guid,student_username,student_fullname,"school group"
objUser.SetInfo
updated = "yes"
End If
Any suggestions would be greatly appreciated.With Bill. This can be done with AD and PowerShell in a couple of lines for reach item.
You are taking an incorrect approach which is making this much harder than it needs to be. Your question is also hard to understand.
Each AD usre object obtained via ADSI will have a list of groups the account is a member of. You use this to remove the user from the group. How you choose this is up to you. You can use an array or a file. You can also =just use
OU associated groups. A user then is added to all or some groups associated with the OU and removed from the groups associated with the OU by just returning the OU associated group list from the OUs.
Designing AD systems is a specialty. Once you fully understand the features and capabilities of AD these things are usually simple and painless. If the design is not done well they are painful and faulty.
We can answer specific questions. Understaning the design and capabilities of AD is mostly up to you.
Start with a tool that is designed to work well with AD like PowerShell. VBScritp is onluy useful to those who are skilled with AD and scripting in VBSdcript. From your script we can see you are a beginner at both. As Bill notes...do yourself
a favor and switch to PowerShell.
¯\_(ツ)_/¯ -
Remove user from multiple Group
Hi All,
Can any one help me on this .
we have around 100 different SSLVPN AD security groups. Need a script or command to remove 790 users
from all these groups.
we have list of user in excel sheet we want to remove from group only.
Regards, TriyambakHi,
Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Regards, Yan Li -
Adress list custom attribut user in multiple group
Hello,
I am trying to configure some distribution group in exchange 2007
I wanted to have list based on my OU but i cant find how so i went with custom attribut
I put my member in the correct service BUT i have the manager that need to be on all the group and some user in2 or 3 group.
I cant figure how and where to do this!
Can you help?So you're trying to use Dynamic Distribution Groups?
If you're creating the DDG using the Exchange Management Console just be sure to select the "recipient container" in the second dialog box (the one labeled "Filter Settings").
Sometimes its easier to create a "normal" static distribution group and then add the DDGs as members. You can add the DDG that selects the managers to as many different groups as you like. You may wind up with more groups, be the filter on the DDGs will
be much easier to understand (or to create if you must use Powershell to construct the DDG).
--- Rich Matheisen MCSE&I, Exchange MVP -
Assign a user to multiple groups?
Hi everyone,
suppose we have around 500 groups and we want to add a user to all this 500 groups at a time. how can we do that???
(Note: i know adding into each group sequentially but i want to add all groups in a single shot)Its pretty straight forward:
1) You have to create a table with two columns, one for the Login Id's of the user's and second for the group Name.
2) You should populate this table with 500 different login ID's that you are trying to assign to a group, and in the group information in the group column.
3) Create an init block in the RPD that users "GROUP" variable as the data target.
4) As GROUP is a system variable, once the user logs into the OBIEE analytics, he will be assigned to the groups that are populated into this session variable.
Hope that helpful.
Thanks,
-Amith. -
Portal Activity Reports for multiple groups
Hi,
Can the report display the count of users belonging to multiple groups or would it have to be created seperately for each group. I have tried to use wild cards and commas and nothing worked, the field does not accept more than one valid group name to be entered. Any ideas how to work around this without having to create a different report for different groups?
ThanksHi EAmin,
You can only show information about users who belong to a specific group and not multiple groups. But if you want to show users in multiple groups, you can create a new group (say temp) and add the other groups to temp. Now, configure the report to display users in group temp.
Rajiv -
I have ACS appliance, I have made multiiple device group and add different region devices in it. I have redudent ACS running in my enviroment. BUt when i try to add AAA server in Device group i got the error that host already exist. I am only able to add AAA server in only one device group, not other.
Please tell me is it possible to have one AAA server for multiple group.
I have made 5 users and each user will only able to access one group.
Please tell me where i m missing the configuration.Wasim,
There is no need to add aaa server in each NDG. We just need one server and that will take care of all aaa-clients and users.
Regards,
~JG
Do rate helpful posts -
How to add multiple groups in a single user in ldap
I have problem with ldap ,Please clarify the following problem.
My request is --> send the multiple groups at a time with single user.
My code contain single user and single group is working.
Please see the source file ,please solve my problem. i tried , but i did not get.
package com.ldap;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
* This class provides methods for the user management
* @author sudhakar
public class LdapUserMgr {
public final static String USER_ID = "uid";
public final static String COMMONNAME = "cn";
public final static String SURNAME = "sn";
public final static String MEMBEROF = "wlsMemberOf";
public final static String MEMBEROF1 = "wlsMemberOf";
public final static String PASSWORD = "userpassword";
public final static String EMAIL = "mail";
* This method creates new user in the embedded ldap registry
* @return
* @throws Exception
public void createUser() throws Exception {
DirContext ctx = getLDAPConnection();
String userId="sudhakar";
String userName="sudhakar";
String userRole="Assessor";
String password="sudhakar123";
String email="[email protected]";
try{
Attributes attrNew = new BasicAttributes(true);
Attribute objclass = new BasicAttribute("objectclass");
String group = "ou=groups,ou=myrealm,dc=sudhakar_domain";
String people = "ou=people,ou=myrealm,dc=sudhakar_domain";
// add all the object classes required for the user profile
objclass.add("top");
objclass.add("person");
objclass.add("organizationalPerson");
objclass.add("inetOrgPerson");
objclass.add("wlsUser");
// put all the attributes required as part of the user profile
// add object classes
attrNew.put(objclass);
// add user Id
attrNew.put(USER_ID, userId);
// add user common name
attrNew.put(COMMONNAME, userName);
// add user surname
attrNew.put(SURNAME, userName);
// prepare the group path for the user
String role = COMMONNAME + "=" + userRole + "," + group;
// add user to a group
attrNew.put(MEMBEROF,role);
System.out.println("user role is "+role);
// i want to pass multiple user roles at a time
// add user password
attrNew.put(PASSWORD, password);
// add user mail Id
attrNew.put(EMAIL, email);
// Prepare the query string to add the user to the embedded ldap
String query = USER_ID + "=" + userId+ "," + people;
System.out.println("user query is "+query);
// add the user to the LDAP directory
ctx.createSubcontext( query, attrNew );
System.out.println("user" + userId+ "created");
catch ( NameAlreadyBoundException nabe ){
System.out.println(nabe.getMessage());
throw new NameAlreadyBoundException("User by this name already exits");
catch (NamingException namEx) {
System.out.println(namEx.getMessage());
catch(Exception ex){
System.out.println(ex.getMessage());
finally{
closeLDAPConnection(ctx);
public DirContext getLDAPConnection() throws Exception{
DirContext ctx = null;
try{
Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://192.168.100.84:7030/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=Admin");
env.put(Context.SECURITY_CREDENTIALS,"admin");
// Create the initial directory context
ctx = new InitialDirContext(env);
return ctx;
catch (AuthenticationException authEx){
System.out.println(authEx.getMessage());
throw new AuthenticationException("Authentication failed");
catch (NamingException namEx) {
System.out.println(namEx.getMessage());
throw new NamingException("Naming Exception");
catch(Exception ex){
System.out.println(ex.getMessage());
throw new Exception("Exception Occured");
* This method closes the LDAP connection
* @param ctx
public void closeLDAPConnection(DirContext ctx){
try{
ctx.close();
catch(NamingException nex){
System.out.println(nex.getMessage());
catch(Exception ex){
System.out.println(ex.getMessage());
public static void main(String s[])throws Exception{
LdapUserMgr ldapUserMgr = new LdapUserMgr();
ldapUserMgr.createUser();
Edited by: sudhakar_kavuru on Jun 16, 2009 1:58 AMHi Sudhakar,
try some thing like this.Here I have enclosed the code snippet.
String query = USER_ID + "=" + user.getUserId()+ "," + people;
// add the user to the LDAP directory
// ctx.createSubcontext( query, attrNew );
Attribute att1 = new BasicAttribute(MEMBEROF);
String roleName=user.getUserRoleList().get(0);
String role1 = COMMONNAME + "="+roleName+"," + group;
att1.add(role1);
attrNew.put(att1);
DirContext dirContext =ctx.createSubcontext( query, attrNew );
for (int i = 1; i < user.getUserRoleList().size(); i++) {
Attributes att2 = new BasicAttributes();
String roleNameStr=user.getUserRoleList().get(i);
log.debug("roleNameStr--->"+roleNameStr);
String role2 = COMMONNAME + "="+roleNameStr+"," + group;
log.debug("role2-->"+role2);
att2.put(MEMBEROF,role2);
dirContext.modifyAttributes("", DirContext.ADD_ATTRIBUTE, att2);
} -
Authenticate users by Windows group using ACS
Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
Is there a way to do this with ACS?
Please note that we are using ACS Solution Engine, not ACS for Windows.
Thanks.Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
then configure group mapping, and put the restrictions accordingly.
Regards,
Prem
Please rate if it helps! -
ACS - users in more than 1 group
Hi,
is there an option to set users in more than 1 group on the ACS..for example an user in tacacs group and wireless group and citrix group. if so how do i go about doing it ?
ThanksDoes this relate to ACS 5?
In ACS 5 can defined additional attributes for users that can be used in policy decisions -
User belonging to multiple groups
Hi,
If a user belongs to multiple workgroups, Podcast capture should ask him in wich blog he wants to publish its sequence... but it doesn't seem to work.
So my question is : how to deal with that ?
Thanks for your help,
NicolasHi
I know only 2 ways to add some dynamic: posting to user's blog, which supposes to consider that there is only one user who is able to post, otherwise to duplicate workflows and change the target group in it ($$Group Short Name$$ replaced by custom properties or if posted through webUI defined by new field, but it's reliability depends of the human factor..).
In addition, i may ask you what do you mean by "it doesn't seem to work"..? Is Pc Capture supposed to work this way and ask at any moment to which group's blog the podcast needs to be sent when a user belongs to multiple groups ? That would be a terrific news, but i guess they would have announced it..
ju
Message was edited by: JulienC -
ACS User Group Network Access Restrictions
Hi to all,
We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
Thanks in advance,
Coloma CrespíHi Andrew,
Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
Thanks in advance,
Coloma Crespí
Maybe you are looking for
-
Limit Memory usage on Exchange Store
I am looking to limit the Exchange Store. Our Exchange server contains all roles and is being installed to replace a current Exchange 2003 server. Currently all mail now flows through the Ex2k10 server and 5 users have been moved to the new server. T
-
Hello I want to buy your iphone5 S of the U.S. site, but I want to use it in Saudi Arabia what is best option
-
Since using CC, either Photoshop or Bridge will crash in the middle of editing. On average about 4 times an hour. Sometimes it will just quit the program. Other times, whilst in PS, the drop down menus will just appear as white boxes rather than
-
Why did itunes charge me more then once on one transaction
I had made a puchase for $38.35 and it had charged me that same amount 14 times and I don't understand why or how to get that money back???
-
Hi Please let me know the Middleware Configuration settings and some inportant tables in SRM. Thnaks Mukesh Kumar