Cisco ACS Group Settings per NDG

Similar Messages

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• HT4199 I have a new iPhone 4s.  I have a home wi-fi network using Cisco Linksys2000 router with all settings per this article - phone will not see network if set to 5 GHz channel width - solution??  2.4 works but is not optimal with other devices in home

  I have a new iPhone 4s.  I have a home wi-fi network using Cisco Linksys2000 router with all settings per this article - phone will not see network if set to 5 GHz channel width - solution??  2.4 works but is not optimal with other devices in home (computers; tivo).  Have others seen this?  Any advice is much appreciated.

  Stephen Spark is right - your best alternative is to use a simultaneous dual band wireless router like the AirPort Extreme. Your Cisco Linksys2000 is not a dual band router, meaning that it will be constrained to operate at the slowest speed of all the devices on your network.
  The AirPort Extreme's dual networks will support all your 802.11n devices as well as all your 802.11b/g devices on both the 2.4 and 5 GHz frequencies simultaneously.

• Cisco ACS 5.3 - How to only allow specific AD groups to login

  Can anyone help me figure out what I have wrong or have missing?
  I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
  This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
  My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
  All the logins hit the Admin account, even though the id in AD is not in the that AD group.  I have something screwed up.

  Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

  We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  Version\Internet Settings" with the pac file link.
  I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
  But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
  grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
  The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?

  > have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
  > settings per-machine (rather than per user)", and i've add a registry
  > key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  > Version\Internet Settings" with the pac file link.
  In the past, we experienced various issues with machine proxy settings,
  so we don't use them anymore. The simple approach:
  Block access to the connections page through ADM template settings and
  deploy the proxy through GPP Internet Settings.
  This is what we do (with a pac file, too), and it works well :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• Need help in ACS group design

  I have 3 NDG's and 3 user groups. The NDG's are core devies, edge devices and AccessPoints. The user groups are End users, Guest users, Lan users and core users.
  I want to give the core users access to all network devices and access to wireless via eap based protocols.
  The lan users, I would like to give the same wireless access, but only have access to edge devices ndg.
  The end and guest users just need access to wireless.
  I am using an LDAP database. I am trying to figure out how to configure the wanted results.
  Any Help wouuld be appreciated.

  The document has configuration of group in Cisco Secure ACS.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/interfac.pdf

• CISCO ACS, How to Limit User Session ?

  Hi Guys,
  hope you would help me,
  how to limit the user session in ACS 5.x ?
  i'm aware the menu on
  Access Policies >Max User Session Policy > Max Session Group Settings
  i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
  so it means the user only could open 1 connect at the same time right?
  the problem, it didn't works.
  i had 1 ACS 5.5
  2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
  (let's call it R1 and R2 )
  i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
  i already include :
  radius-server attribute 44 include-in-access-req
  radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
  on the line vty :
   accounting connection acs
   login authentication acs
  am i missing something?
  also, is this feature works on tacacs+ too?
  Thanks,

  Dash,
  You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
  Thanks,
  Tarik Admani

• AD - ACS Group Mappings

  I have created a group on ACS and used:
  Ext User Database > Ext Grp Mappings to create mapping b/w ACS Group and AD Group. This works fine on Primary. However this information is not replicated to secondary. Would I have to recreate group mappings on each ACS Server (Primary and Backup and possibly another Backup). Is there a workaround or a more elegant method?

  Hi,
  The following items cannot be replicated:
  IP pool definitions (for more information, see About IP Pools Server).
  ACS certificate and private key files.
  Unknown user group mapping configuration.
  Dynamically-mapped users.
  Settings on the ACS Service Management page in the System Configuration section.
  RDBMS Synchronization settings.
  Third-party software, such as Novell Requestor or RSA ACE client software.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sad.htm#wp756078
  Hope that helps !
  Jagdeep

• Limitations of Cisco ACS server

  I want to ask about limitations of Cisco ACS server 3.3 .
  I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
  Can i also solve this problem with a High Availability configuration.

  Hi
  ACS performance is a very complex issue and depends largely on
  1) auth protocol (anything eap is SLOW)
  2) backend (anything external is SLOW)
  3) server CPU
  We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
  AD authentication/group mapping can take several seconds to complete.
  ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
  EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
  Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
  The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
  IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
  Darran

• HELP! Cisco ACS v 3.3

  Greetings,
  I have recently inherited and older ACS server. I am having trouble with certain ACS groups accessing resources witch they are not assigned to.
  I've setup Windows Database and that works fine,  when assigning a specific AD group to an ACS defined group that work also.
  But when I assign another windows Ad group to another ACS group, this group can access resources in other groups, which I don't want.
  Is there something I am missing, I looked up and down, with no luck.
  Any help is appriciated.
  Thanks!  

  Mike,
  Is the user a member of multiple groups in windows? Here is the following note within ACS 3.3:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/qg.html
  Group Mapping Order
  Cisco Secure ACS always maps users to a single Cisco Secure ACS group,  yet a user can belong to more than one group set mapping. For example, a  user, John, could be a member of the group combination Engineering and  California, and at the same time be a member of the group combination  Engineering and Managers. If there are Cisco Secure ACS group set  mappings for both these combinations, Cisco Secure ACS has to determine  to which group John should be assigned.
  Cisco Secure ACS prevents conflicting group set mappings by assigning a  mapping order to the group set mappings. When a user authenticated by an  external user database is to be assigned to a Cisco Secure ACS group,  Cisco Secure ACS starts at the top of the list of group mappings for  that database. Cisco Secure ACS checks the user group memberships in the  external user database against each group mapping in the list  sequentially. Upon finding the first group set mapping that matches the  external user database group memberships of the user, Cisco Secure ACS  assigns the user to the Cisco Secure ACS group of that group mapping and  terminates the mapping process.
  Clearly, the order of group mappings is important because it affects the  network access and services allowed to users. When defining mappings  for users who belong to multiple groups, make sure they are in the  correct order so that users are granted the correct group settings.
  For example, a user, Mary, is assigned to the three-group combination of  Engineering, Marketing, and Managers. Mary should be granted the  privileges of a manager rather than an engineer. Mapping A assigns users  who belong to all three groups Mary is in to Cisco Secure ACS Group 2.  Mapping B assigns users who belong to the Engineering and Marketing  groups to Cisco Secure ACS Group 1. If Mapping B is listed first,  Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be  assigned to Group 1, rather than Group 2 like managers should be.
  Tarik Admani
  *Please rate helpful posts*

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.