AD - ACS Group Mappings

Similar Messages

• ACS - Replicate Group Mappings for External DB

  We have two ACS Solution Engines (4.0), which basically act as primary and secondary AAA servers. Is there a way to replicate the external database group mappings from one ACS to another? Currently, replication is successfully copying the internal ACS group from the primary to our secondary server, but we still have to create the external database group mapping on both the primary and secondary appliances. This is kind of tediuos, and I am worried that someone may setup the mapping on the primary, and forget to set it up on the secondary. Any assistance is appreciated.
  Thanks in advance.

  Try replicating the Network Access Profiles. As I recall this includes just about everything!
  Darran

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• Problems with group mappings

  I am testing 802.1x with dynamic vlan assignment on an ACS 3.3.3 for windows with a cat 3750.
  When a new users logs into the machine, ACS is able to poll the AD for the users credentials, however the users gets placed int the default group, rather than the group mappings associated with Active Directory.
  The error messages in CSAuth.log i see are the following
  AUTH 08/24/2005 23:25:25 E 0365 1000 External DB [NTAuthenDLL.dll]: NetUserGetLocalGroups failed with result [5]
  AUTH 08/24/2005 23:25:25 E 0365 1000 External DB [NTAuthenDLL.dll]: nt_GetUsersNTGroups failed
  I Can manually move the users to the proper groups, however, why are they not being moved to their proper groups? Anyone else seen the problem/error messages above?

  Hi,
  Did you ever get to the bottom of this issue. I have the same issue with ACS 3.3.3 for windows. I have not seen this issue on any other ACS Win / Appliance installs.
  Thanks in advance
  Allan

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled

• ACS group mapping

  hello
  we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
  so we map AD groups to ACS groups and we specify access restriction in ACS groups.
  now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
  so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
  however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
  so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

  i can't see how NAP can resolve my issue.
  suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
  AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
  AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
  now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
  if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

• Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

  Hey,
  We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
  Using a DN without spaces (such as "UCSAdmins"), works just fine.
  I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
  I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
  Is there a workaround available which can make it possible using a group which has a space in it's name?
  Thanks,
  Dor

  Hey Roman,
  Thanks for your prompt reply.
  We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
  We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
  Thanks again,
  Dor

• ACS Group to NT Group mapping

  Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
  Tom

  You won’t be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.

• Why RADIUS is not listed on ACS "Group Setup" list ?

  On ACS 3.3, I go to main menu,
  I choose "Interface Configuration".
  I make sure that "IETF RADIUS Attributes" is selected.
  Then I refresh the browser, I go to "Group Setup".
  On the top of the page, I attempt to pick "RADIUS" configuration. However it doesn't appear listed there.
  As you can see on the attached bitmap, only few options are available even though I selected a number of them from User Interface as an exercise.
  Please note that I already mapped a couple of Windows groups to the respective ACS Groups so
  that I configure VPN and Wireless authentication.
  Any idea what am I missing here ?
  Why RADIUS configuration option doesn't show up ?
  I already attempted to close and relaunch ACS Admin,
  no progress.

  In fact I don't recall I added a "RADIUS device";
  Is that just a configuration or do I need to physically connect a special server there ?
  Sorry for my ignorance, but I thought that the ACS server I am working on would be the provider of RADIUS services ? Can you clarify that ?

• Config for Account Group Mappings

  I have a problem with middleware in that when I create a Payer it should be created in account group Z012 in R/3, however it is being created in Account Group Z001.
  I have checked various places such as CRMC_T077D but I cannot find where the BP Role maps to this account group.
  Can anyone give me any advice on where to look and what to check for?
  Many Thanks
  David

  Hi David,
  Kinldy maintain the mappings in tx code PIDE in ECC for the CRM to R/3 mapping
  This should help.
  Regards,
  Rekha Dadwal
  Kindly reward points if useful.

• Need help in ACS group design

  I have 3 NDG's and 3 user groups. The NDG's are core devies, edge devices and AccessPoints. The user groups are End users, Guest users, Lan users and core users.
  I want to give the core users access to all network devices and access to wireless via eap based protocols.
  The lan users, I would like to give the same wireless access, but only have access to edge devices ndg.
  The end and guest users just need access to wireless.
  I am using an LDAP database. I am trying to figure out how to configure the wanted results.
  Any Help wouuld be appreciated.

  The document has configuration of group in Cisco Secure ACS.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/interfac.pdf

• Different ACS Group

  I have made two ACS user groups tac 1 and tac 2 assign them full rights on two different Network device group, G1 and G2. Tac 1 only able to access G1 group not other group.
  Now my requirement is that Tac 1 user group also access G2 devices but with limited commands.
  Right now i m achieving this by making a third user group G3 and assigning it Readonly permission on all devices.
  But I want same tac 1 group user get full rights on G1 devices but read only for G2 devices.
  Please tell me how to achieve this.

  You need to use option "Assign a Shell Command Authorization Set on a per Network Device Group Basis" , under shell command authorization.
  Regards,
  ~JG

• Router Access for Specific ACS Group

  I want to use TACACS to control access to all our Cisco switches and routers. I have an Cisco ACS device that can be used to centrally manage engineer accounts. The ACS server is, however, also used to store our corporate users VPN accounts.
  Can I limit access to the routers and switches to only users in the Engineers group on the ACS server?

  Hello,
  If you are using ACS 4.x, limiting access through Network Access Restrictions (NARs) might help you out:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  Let me know if this helps, or alternatively if you are using ACS 5 (in which case the scenario is a little bit different).
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.