Different ACS Group

Similar Messages

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• Stock report for single material contains different material groups

  Hi Experts,
                I have a scenario.I want to maintain material group for a material at the time of po creation.In next time i will maintain different material group for the same material.
                 But I want to view the the stocks for material group wise which i entered in po.Is it possible to achieve this?
                Please suggest solution.
  Thanks & Regards,
  Deepika.

  Please read the KBA document  2012912 - Changeablility of the field "material group" in purchasing documents
  It clearly says that material group can't be changed in case you will use material master in purchase order.
  So, it is clear that you can't use different material group for material master in purchase order.
  For stock report, system will only show you the material group which is assigned to the material master (MARA-MATKL). System will not look into the purchase order section (like EKPO).

• Same number range for two different series groups?

  Dear all,
  There are two scenarios
  1.Normal export under bond case, series group is 20 and number range maintained,running number is 300016
  2.Another scenario,where ARE1 document generation for Deemed exp customer(already customised) , series group is 30.
  But, client requirement is , for this second scenario also, system should pickup running number range of series group 20(under bond case)  as per excise legal requirement
  Ie running number is for series group 20 is 300016
  For the above deemed exp case (second scenario)it should pickup 300017
  And again when they do under bond case(first scenario), it should pick up 300018 like that
  Is it possible to maintain the same number range for two different series groups(20 and 30)?
  Even if you maintain the same number range for 30, as per running number range of 20
  Will the system update simultaneously the same number range for 20 and 30 series groups?
  Please suggest the way.

  With two different series groups, it is not possible to have the same number range. Even if you maintain it, they will be treated independently.
  Normally, you should not use different series groups if the same number range has to be used. In fact, the concept of series group has been developed to ensure that number ranges can be maintained separately.
  Regards,
  Aroop

• Can I deploy 2 computer GPO for 2 different Security Groups to the same machine?

  Hi
  this is my scenario
  I have 2 different security group ( in a domain ) and i would like to deploy 2 different Computer GPO depends by the user SG membership
  this is a terminal server ( 2k12) and I would like  have the computer GPO policy/admin template/windows components/remote desktop session host/profile different for each security group.
  thanks
  Marco

  > I have 2 different security group ( in a domain ) and i would like to
  > deploy 2 different Computer GPO depends by the user SG membership
  Not really, but for some settings there is a workaround... ->
  http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html
  > this is a terminal server ( 2k12) and I would like  have the computer
  > GPO policy/admin template/windows components/remote desktop session
  > host/profile different for each security group.
  For THIS setting, it definitely does NOT work. The profile path must be
  known BEFORE the user is logged on and this means BEFORE any user
  specific settings can be processed.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Is it possible to deploy 2 SCOM 2012 R2 reporting in a SQL server which already has SCOM reporting of a different management group but with 2 different reporting instance.

  Hi Experts,
  I have a typical situation in the LAB environment. Hope some one helps. I have Installed a SCOM 2012 R2 with SQL 2012 SP1 in a single server (Management group 1). I have installed another management group on another server using this SQL server for its database
  so i have everything going fine.
  The first management group has its reporting installed in the SQL server. For the second i created a new named instance for that. But i cannot run the SCOM setup in the SQL server (Also holding the Management group 1 MS) as 1 st reporting is already there.
  When i run the setup it is asking me to repair it. I don't get the install option so i can install the reporting for management group 2 in the named instance.
  Default instance is being used by the 1st management group.
  Can any one figure a possibility for installing 2 SCOM reporting services for different management groups in a same SQL 2012 server please.
  Gautam.75801

  Hi Yan Li,
  Thank you for the reply. So as you are aware If i need to instal reporting, i need to run the SCOM 2012 R2 setup in the SQL server and select reporting and select the
  instance and then mention the management server there right. I am not getting that option there it is asking me to remove or repair the existing installation as there is already a SCOM entire setup including reporting there. As it is a lab there is no problem
  in testing. I have 2 reporting instances. Any suggestions for me on how to overcome this issue and deploy the second reporting in the new named instance ?
  Below is the screenshot of the error what i am talking about when i run SCOM 2012 R2 setup to install reporting in the SQL server
  When i click on add feature reporting is greyed out (As already 1st management groups reporting is installed)
  When i click on remove or repair it
  uninstalls the existing one. But i want both SCOM 2012 r2 reporting to be there(For both Management group). Is it possible ? If yes What is the trick to run the setup ?
  Gautam.75801

• Mass creation of common folders for different user groups

  Hello Experts,
  We are using Portal 7.0 SP12 and we have 10 different user groups created in Portal.
  Based on this group structure, we need to create two common folders in each of the user's personnel documents in KM.
  Is there is any way to achieve this kind of requirement ?
  Can we do mass creation of these two common folders which will be assigned to all of the groups. This needs to be done in user's personnel documents and not in Public documents.
  Any help in this context would be highly appreciated. points assured.
  Thanks in advance,
  Anil Kumar.

  For every user a folder is created in userhome. One approach is to capture this folder creation event and create the folder structure you need. You need to develop a portal service which will listen to events from userhome repository.
  1. Capture folder creation event for user home
  2. Create the folder structure you want in this event handler
  Check this documentation on how to do this.
  https://media.sdn.sap.com/html/submitted_docs/nw_kmc/howto/rf/client_api/rf_client_api.html
  Regards,
  Prasanna Krishnamurthy

• Different vendor group, but 1 vendor master

  Dear Friends,
  Can I have this facility in SAP.
  Different account groups to be maintained, but vendor master should be created only 1 vendor master with common no.
  Display separate balances for vendors in Balance Sheet as:
  Creditors for Material Purchase
  Creditors for Capital Purchase
  Creditors for Acceptance
  Regards,
  Ram

  Hi,
  Better to use Define Alternative Reconciliation Account for Vendors like
  1. Creditors for Material Purchase - xxx1
  2. Creditors for Capital Purchase - xxx2
  3. Creditors for Acceptance  - xxx3
  Sundry creditors -
  xxxx0 Main Recon account.
  In this step, you define accounts which show the posting of a
  corresponding special G/L transaction to the general ledger. The
  postings are made to these accounts instead of to the normal
  reconciliation account.
  Path:
  SM30 --> table V_THKON.
  Hope it clear.
  Search for More help for Alternative Recon settings.
  Regards,
  Kishore K

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled

• N+1 redundancy and different mobility groups

  Is it possible to backup 2 controllers with 2 different mobility groups (for example GROUP1 and GROUP2) to the same backup controller (running HA SKU N+1 (7.4)) ?
  Since a controller can only be configured in 1 mobility group, this doesn't seem to be possible. Can someone confirm ?
  regards,
  Geert

  Hello,
  As per your query i can suggest you the following solution-
  In all Wireless LAN Controller (WLC) versions earlier than 4.2.61.0, when a WLC goes "down," the LAP registered to this WLC can failover only to another WLC of the same Mobility Group, if the LAP is configured for failover. From Cisco WLC version 4.2.61.0 and later, a new feature called Backup Controller Support is introduced for access points to failover to controllers even outside the Mobility Group. Refer to Wireless LAN Controller and Light Weight Access Points Failover Outside the Mobility Group Configuration Example for more information.
  Hope this will help you.

• Client Roaming Within Single WLC with Different AP Groups

  I am trying to setup a 4400 WLC with 2 different AP Groups mapped to its respective Dynamic Interfaces / Vlans. AP's are equally mapped to both the AP groups by Floor wise ex: First floor AP's connect to one AP group and the Second Floor AP's connecting to other AP group.
  Goal is to create separate Network policy for each Floor using ACL's and apply to their respective Vlans on Layer 3 Switch. Wireless Raoming should happen seamlessly between these Ap groups making the DHCP changes by not disconnecting and connecting every time user roam across the Floors.
  Problem is When Clients Roam between Floors i,e moving between AP Groups, they still maintain their old DHCP IP addresses when moved to new AP group even after Client re-authetication. This defies our goal of creating a Wireless Network Policy using single WLC.
  Knobs i have tuned in WLC to acheive our goal includes....
  1. WLAN Session Timeout - No use
  2. DHCP Proxy Disable - No Use
  3. ARP Time out - No use
  Looks like WLC is storing the IP address and MAC information of the Client unconditonally during roaming and clearing out untill a manual or forced disconnect or disassociation is done.
  Did anyone tried to implement this setup and made it running? Any help or suggestion would be higly appreciated.
  Thanks
  Guru

  abit late for a reply but....try going to the SSID>Advanced and ticking the "DHCP Addr. Assignment" Required checkbox and test again.
  What does the DHCP Required field under a WLAN signify?
  A. DHCP Required is an option that can be enabled for a WLAN. It       necessitates that all clients that associate to that particular WLAN obtain IP       addresses through DHCP. Clients with static IP addresses are not allowed to       associate to the WLAN. This option is found under the Advanced tab of a WLAN.       WLC allows the traffic to/from a client only if its IP address is present in       the MSCB table of the WLC. WLC records the IP address of a client during its       DHCP Request or DHCP Renew. This requires that a client renews its IP address       every time it re-associates to the WLC because every time the client       disassociates as a part of its roam process or session timeout, its entry is       erased from the MSCB table. The client must again re-authenticate and       reassociate to the WLC, which again makes the client entry in the table.

• How to set different default interactive reports for different user groups?

  I'm probably overlooking an obvious solution, but how do I set different default interactive report for different user groups?
  For the same interactive report, I want one set of users to see a default where the default filter is based on column X. However, another group of users doesn't have authorization to see that column so I need to set the default filter to something else for them.
  Thanks

  You can set a filter on a report in a URL - would that help? I think with apex 4.x you can also link to a saved default report or alternative report...

• Different field groups in the different account groups

  Dear IT Experts,
  I´m working on restructuring authorization in roles concerning the IC and TP customers.
  The goal of this changes is be able to have different field groups in the different account groups (TP and IC), for give you some more detail a good example can be, the same AMS user should be able to change general data and sales views for TP customers  but for IC he should only be allowed to change the sales views, however when the changes are made in the roles they are being ignored because as far as I could check the system does not have as a rule that the field groups are or can be dependent from the account group...
  I can give you a clear example:
  Role A
  F_KNA1_AEN -> VGRUP = 10-16
  F_KNA1_GRP -> ACTVT = 01, 02, 03
  F_KNA1_GRP -> KTOKD = INTR
  Role B
  F_KNA1_AEN -> VGRUP = 16
  F_KNA1_GRP -> ACTVT = 01, 02, 03
  F_KNA1_GRP -> KTOKD = THIR
  Despite it looks fine, the system is not validating the account group with the correspondent field group in each role, so the field groups that the system use is unique, it means it the content of the object F_KNA1_AEN in total independently of used account group!
  So my question is, can we apply any other object that makes the field group being directly depending of the account group, as we can see for example activities for each account group having something similar for field group and account group?
  Can someone please explain me step-by-step how I can do this work even if by another method?
  I´m quite new on this issues and I really need your wisdom to find a solution for this.
  Many thanks
  Katjia

  Hi Manoj
  The debate is each inidividual business unit has defined different account groups for the same vendor in their respective systems.
  The question is : What is the best practice-- Should we keep Vendor account group as main table field and define Vendors with one unique account groups OR we maintain the account group in qualified table each pointing to different business unit.
  In my opinion this is going to be very complex solution. Ideally we need to define all the Harmonization rules before syndicating data to different target systems.
  Is this possibel that the same vendor record which is existing as vendor of different account groups in different systems have same set of attributes. If yes then enabling the remote key for Account group Lookup field is one option and defining a unique Account group 'AG" (which is mapped to say AG1 from remote system1, AG2 from remote system2 and so on..)..
  Managing this via Qualified table will be very complex and not advisabel. As Rajesh also mentioned Account Group in MDM should be considered as Global attribute and all such harmonization rules should be defined in your project. AG1=AG2=AG in above exmaple.
  Hope this clarifies.
  Thanks-Ravi

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!