Map acs to ad

Hi,
i have several different groups on the ACS (example: finance, sales, marketing). how do i map this to AD? (for example, if i have to put a person under sales group then i want to goto AD and add him to the member of sales and this should dynamically map and reflect on ACS)
Thanks

Thanks for this. I have already mapped the user to the group and linked ACS and AD. But dynamic entry is not created. However on the ACS I can see there is /local, /xyz (domain name) , /default - 3 different domains. The /local has all users mapped to default group on ACS. The /xyz is in correct order - the way I wanted to map. I presume its not wokring as ACS goes in order. It first looks at /local and then goes to xyz. Is this correct? So if jli delete the /local it shd work ?
But just want to confirm one thing - i don't have to create an entry for the users if manually if goes well, isn't it?
Thanks
Sent from my Windows Phone

Similar Messages

Move group mapping ACS 3.3 or 4.0

Hi,
is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

In ACS 3.3(11):
External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

ACS 4.0 and german password characters???

Hello. I have attempted to map ACS 4.0 to Windows AD 2003 as an External Database.
This all works fine. The only weird thing is that ACS doesn't accept user passwords containing german special characters (such as ä,ö,ü).
From the file "C:\Program Files\CiscoSecure ACS v4.0\CSAuth\Logs\AUTH.log" I get the following information:
AUTH 14/02/2006 14:35:13 I 1554 2088 pvAuthenticateUser: authenticate 'testuser1' against Windows Database
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Starting authentication for user [testuser1]
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user testuser1
AUTH 14/02/2006 14:35:13 E 0376 2088 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain TESTDOMAIN1
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user testuser1
AUTH 14/02/2006 14:35:13 E 0376 2088 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain TESTDOMAIN2
AUTH 14/02/2006 14:35:13 I 0376 2088 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user testuser12
AUTH 14/02/2006 14:35:13 E 0376 2088 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 14/02/2006 14:35:13 I 0143 2088 [PDE]: PolicyMgr::TerminateContext: context id=1 is deleted
AUTH 14/02/2006 14:35:13 I 5081 2088 Done RQ1026, client 2, status -2052
When I set the user password (on the AD Server 2003) without an german umlaut (ä, ö..) the authentication process works fine:
AUTH 14/02/2006 15:46:35 I 1554 1840 pvAuthenticateUser: authenticate 'testuser1' against Windows Database
AUTH 14/02/2006 15:46:35 I 0376 1840 External DB [NTAuthenDLL.dll]: Starting authentication for user [testuser1]
AUTH 14/02/2006 15:46:35 I 0376 1840 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user testuser1
AUTH 14/02/2006 15:46:35 I 0376 1840 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by TESTSRV01)
AUTH 14/02/2006 15:46:35 I 0376 1840 External DB [NTAuthenDLL.dll]: User mapped to ACS group id [5]
AUTH 14/02/2006 15:46:35 I 0143 1840 [PDE]: PdeAttributeSet::addAttribute: PDE-Group-ID-16=5
AUTH 14/02/2006 15:46:35 I 0143 1840 [PDE]: PolicyMgr::Process: request type=4; context id=1; applied default profiles (0) - do nothing
AUTH 14/02/2006 15:46:35 I 0143 1840 [PDE]: PolicyMgr::TerminateContext: context id=1 is deleted
AUTH 14/02/2006 15:46:35 I 5081 1840 Done RQ1026, client 2, status 0
Any ideas ?
Is this an known issue in this release ? At the moment we map ACS 2.6 to Windows NT 4 as an External Database. In this configuration the
authentication process works as well with german password characters!!!
Thanks for help!
Best Regards
Matthias Enderle

Hi
Looks like you are doing PAP, if you switch to MSCHAP then ACS will never see the password (only a hash created by the supplicant)
This will tell you whether the problem is ACS or AD.
Darran

Dynamic VLAN assignment with WLC and ACS for

Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

ACS External Windows Authentication: Pre-Windows 2000 name only works

Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name).
If I use the Windows 2003 login name, I get a 529 error in the event viewer, stating the username/password is incorrect. This error appears on the Windows 2003 SP1 server running ACS.
Curiously, if I authenticate using the down-level name, the successful event shows the same authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) and "Workstation" and "Login Process" name (CISCO).
I cannot determine if this is an ACS or Windows problem. Any one have a clue?

Win2003 logon name: [email protected]
A Pre-Windows2000 name: [email protected]
Interestingly, the down-level name will authenticate, but the "up-level" name will not.
Here are excerpts from AUTH.log:
Failed up-level name:
AUTH 01/19/2006 07:52:04 I 4817 3604 Attempting authentication for Unknown User '[email protected]'
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain COMPANY
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 01/19/2006 07:52:04 I 2124 3604 Unknown User '[email protected]' was not authenticated
Passed down-level name:
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bsmith
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by WINDC02)
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user bsmith from WINDC02

Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

Hello,
Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
Thanks in Advance.

Hi Eduardo,
Can you tell me how to map ACS 4.2?
service=junos-exec
local-user-name=Engineering
Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
Also, I'd like to see where I'd map this on ACS 5.2. Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
local-user-name=opertions
allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

ACS 5.3 Group Mapping based on AD group membership

Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
Sami

Ok, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks.

Issue with group mapping in ACS.

When we map AD group in ACS with ACS group it coming as AD group and * (As below â ,* â ) , Because of this * everybody is able to login irrespective of his AD group.
Please suggest way to only add the NT Group alone without the *.

Actually '*' means something else.
If you have a group on AD say 'Alfa'
when you do a mapping on ACS, you'll see it like this,
'Alfa', * ------- Group x
Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
Map them to .
Then only those will be able to log in, for whom you have the mapping defined on ACS.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
Check Step 8,
"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
Regards,
Prem

ACS 3.3 Windows group mapping problem

Hi,
I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
Thanks,
Peter

You need to set up proxy.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
There is a known bug, CSCsi04187
PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
Conditions:
The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
Workaround:
If the supplicant has the option you can send the macine name in hos/ format.
Many supplicants do not have this option.
It is to be fixed for ACS 4.2 release.
Regards,
~JG

User in a windows group - mapping to acs group appears not be working

I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
Any suggestion?

Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
1. External User Databases - Database Configuration - Windows Database - Configure
Make sure your domain is listed on moved to the Domain List section
2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
3. External User Databses - Unknown User Policy
Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
Check âThe database in which the user profile is heldâ radio dial in the Configure Enable Password Behaviour section
Hope that helps!

ACS group mapping

hello
we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
so we map AD groups to ACS groups and we specify access restriction in ACS groups.
now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

i can't see how NAP can resolve my issue.
suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

Cisco ACS Policy Mapping

Hallo,
I have a question about the policy mapping in ACS 5.4.
When a request matches in "Access Selection Rule" the request goes to an "Access Service".
In "Access Service" there are three kinds of policy rules:
- Identity:
If condition match then result "Identity Source"
- Group Mapping
If condition match then result "Identity Group"
- Authorization
If condition match the result "Auth Profil"
Q1:
For example:
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
Q2:
What does it mean: "Group mapping"?
Thx for your answer!
Stefan

Hi Stefan,
The User "Test" is registered in Internal User with a local password. But now I will authenticate the user "Test" from a RSA Token server. How can I configure this rule in "identity policy"? Wich condition matches to choose the identity source. I will set the internal user with an attribute enumeration field like "Password". The administrator should have an option to choose "locale databse password" or "token passcode".
In the identity, if you click on select, you can select the type of Database, you can choose RSA (you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Another, way is you continue to use the internal users DB, but you go to that user internally and select the password type to be RSA
(you will first need to create the connection under Users and Identity Stores-->External Identity Stores-->RSA secure ID)
Group mapping is a feature to assign a local identity group as a result by choose conditions.
EG:
If (Active directory x) Then (Internal group x)
The IF is the condition and Then is Result.
https://supportforums.cisco.com/docs/DOC-34890
Hope this Helps.
Ed

ACS Group mapping and restrictions

hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.

In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
In this scenario, it is very important to understand how ACS group mapping works.
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
NOTE:
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Regards,
~JG
Do rate helpful posts

SSID To Group Mapping With ACS 5.1

Hi ;
I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
I implemented the same with ACS 4.2 (Screenshot attached) . Now the requirement is to implement the same concept in ACS 5.1. Could you please help me on this.

If you go under Access Policies and Service Selection Rules and check you hit count( you may need to refresh if you just tried connecting) see if the rule is incrementing.
If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic. If users credentials are working, thats a separate issue.
For the Access service you created, that your selection rule feeds, check the following
Identity will be set to internal users
Authorization you will need to have hit custom and selected "Identity Group" as a selector" Then when you make the rule, check that box and set it to your Staff Group. Set the default at the bottom of the page to Deny Access.

After mapping groups, should I deny all users on ACS ?

I've created and mapped security groups in active directory DomainWirelessOK and DomainVPNOK. I mapped those to ACS_Wireless and ACS_VPN.
In my production environment, currently all users on ACS authenticate using "Default Group".
What's the best way to let only users of ACS_VPN and ACS_Wireless have acccess to resources ? Should I "deny" access to Default group ? Is there any specific order you would setup this ?
Also, if you have suggestions on how I can test this avoiding system disruption please let me know. I thought that I could perhaps include the IP address of few selected Access Points to confirm that mappings work accordingly ?

Hi
If you add a 3rd mapping to map everything else to "No access" that would lockout members of other AD groups.
Additionally, create two NDGs - one for VPN and one for WLAN. In each ACS group you can setup Network Access Restrictions (NARs) such that the VPN group only has access to the VPN NDG and the same for WLAN.
If a WLAN user authenticated via a device in the VPN NDG they would be rejected & vice versa. This assumes the groups are mutually exclusive which they probably arent. So you might needs to make each of the 2 ACS groups have access to both NDGs.
Darran

Map acs to ad

Similar Messages

Maybe you are looking for