Move group mapping ACS 3.3 or 4.0

Similar Messages

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• ACS group mapping

  hello
  we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
  so we map AD groups to ACS groups and we specify access restriction in ACS groups.
  now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
  so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
  however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
  so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

  i can't see how NAP can resolve my issue.
  suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
  AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
  AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
  now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
  if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• AD group mapping failure

  I'm using an ACS version Release 3.2(3) Build 11 and i have proxy distribution table active without stripping domain names (user@domain). Whenever ACS consults AD as external database, user is authenticated but group mappings don't work!! users are authenticated and are inserted into Default usergroup.
  Is there some way to avoid this behavior and somehow configure AD to pass the Group name and, therefore allow the correct authentication within the correct group mapping.
  Nuno

  Hello,
  finally I have good news, The W2k3(R2) caused this issue. I installed the RA on a member server running W2k3 standard edition and magically RA start working and authintication had ben done successfully.
  Note:
  This recommendation not from the TAC enginner, from a gentleman experienced the same issue before.
  Many thx

• Authenticate users by Windows group using ACS

  Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
  Is there a way to do this with ACS?
  Please note that we are using ACS Solution Engine, not ACS for Windows.
  Thanks.

  Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
  then configure group mapping, and put the restrictions accordingly.
  Regards,
  Prem
  Please rate if it helps!

• Map acs to ad

  Hi,
  i have several different groups on the ACS (example: finance, sales, marketing). how do i map this to AD? (for example, if i have to put a person under sales group then i want to goto AD and add him to the member of sales and this should dynamically map and reflect on ACS)
  Thanks

  Thanks for this. I have already mapped the user to the group and linked ACS and AD. But dynamic entry is not created. However on the ACS I can see there is /local, /xyz (domain name) , /default - 3 different domains. The /local has all users mapped to default group on ACS. The /xyz is in correct order - the way I wanted to map. I presume its not wokring as ACS goes in order. It first looks at /local and then goes to xyz. Is this correct? So if jli delete the /local it shd work ?
  But just want to confirm one thing - i don't have to create an entry for the users if manually if goes well, isn't it?
  Thanks
  Sent from my Windows Phone

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• Move group of pages from one InDesign file to another InDesign File using VB.Script

  Dear team,
  I am trying to move group of InDesign pages from one indesign file to another indesign file using vb.script.
  I have written the code like
  Dim Pages=IndDoc.Pages
  Dim Mytype=TypeName(Pages)
  Pages.Move(InDesign.idLocationOptions.idBefore,IndDoc1.Pages.LastItem)
  but it is giving an error as method Move is not a member of Pages 
  please give mme the solution to move the Multiple pages or a group of page from one Indd to another Indd.

  Hey Peter, if I wan to move several page that part of Auto Flow text, I checked the "delete page after moving" but the content still there, not deleted.
  Is there any way to delete it automatically, just to make sure I have moved that autoflowed page?

• How to scroll or move a map

  I want to figure out how to move a map if I got objexts placed all around in a huge area and got one guy moving would I need to use scroll and if so how do I use it on this code?
  package {
      import flash.display.Sprite;
      import flash.events.MouseEvent;
      import flash.events.Event;
      import flash.events.KeyboardEvent;
      import flash.ui.Keyboard;
      public class platform extends Sprite {
          protected var hero:Hero;
          protected var char:Char;
          protected var keys:Array;
          protected const MAX_KEY:int = 128;
          public function platform() {
              hero = new Hero();
              addChild(hero);
              hero.x = 0;
              hero.y = 0;
              var a:NestedCircles = new NestedCircles(true, 0xff0000);
              var b:NestedCircles = new NestedCircles(true, 0x0f0ff0);
              var c:NestedCircles = new NestedCircles(false, 0x000ff0);
              a.x = 100;
              b.x = 200;
              c.x = 300;
              a.y = b.y = c.y = 200;
              addChild(a); addChild(b); addChild(c);
              stage.addEventListener(KeyboardEvent.KEY_DOWN, onKey);
              stage.addEventListener(KeyboardEvent.KEY_UP, onKey);
              keys = new Array(MAX_KEY);
              char = new Char();
              addChild(char);
              char.x = stage.stageWidth/2;
              char.y = stage.stageHeight/2;
              addEventListener(Event.ENTER_FRAME, onEnterFrame);
              if(char.x >= stage.stageWidth){
              scroll()
          protected function onKey(event:KeyboardEvent):void {
              if (event.keyCode >= MAX_KEY) return;
              keys[event.keyCode] = (event.type == KeyboardEvent.KEY_DOWN);
          protected function onEnterFrame(event:Event):void {
              if (keys[Keyboard.UP]) char.y -= char.height;
              if (keys[Keyboard.DOWN]) char.y += char.height;
              if (keys[Keyboard.LEFT]) char.x -= char.width;
              if (keys[Keyboard.RIGHT]) char.x += char.width;
  import flash.display.*;
  import flash.events.MouseEvent;
  class NestedCircles extends Sprite {
      public var child:NestedCircles;
      protected var stroke:Shape;
      public function NestedCircles(useRoll:Boolean, color:uint = 0,
                                    size:Number = 60, isChild:Boolean = false) {
          graphics.beginFill(color, 0.25);
          graphics.drawCircle(0, 0, size);
          graphics.endFill();
          stroke = new Shape();
          addChild(stroke);
          stroke.graphics.lineStyle(5, 0xffff00);
          stroke.graphics.drawCircle(0, 0, size);
          stroke.visible = false;
          if (useRoll) {
              addEventListener(MouseEvent.ROLL_OVER, handler);
              addEventListener(MouseEvent.ROLL_OUT, handler);
          } else {
              addEventListener(MouseEvent.MOUSE_OVER, handler);
              addEventListener(MouseEvent.MOUSE_OUT, handler);   
          if (!isChild) {
              child = new NestedCircles(useRoll, color, size/2, true);
              addChild(child);
              child.y = -size;
      protected function handler(event:MouseEvent):void {
          trace(event.target.name, event.type);
          switch (event.type) {
              case MouseEvent.MOUSE_OUT:
              case MouseEvent.ROLL_OUT:
                  stroke.visible = false;
                  event.stopPropagation();
                  break;
              case MouseEvent.MOUSE_OVER:
              case MouseEvent.ROLL_OVER:
                  stroke.visible = true;
                  event.stopPropagation();
                  break;
  import flash.display.Shape;
  class Hero extends Shape {
      public function Hero() {
          graphics.beginFill(0x10c010);
          graphics.drawRect(0, 0, 500, 500);
          graphics.endFill();
  import flash.display.Shape;
  class Char extends Shape {
      public function Char() {
          graphics.beginFill(0x000000);
          graphics.drawRect(0, 0, 12, 30);
          graphics.endFill();

  Scrolling normally just involves incrementally adjusting the x or y property of an object via some control.  I doubt anyone is going to try to decipher your code to see where anything in the way of scrolling might fit in.

• Fail safe cannot move Group

  Hello, i have installed Windows 2003 with Microsoft Cluster and 4 Nodes, Oracle fail Safe 3.3.2.
  The Problem is i can move the Groups using MCSC but when i try to move a group with FS-Manager nothing is done.
  I press the button move group nothing happens.
  can you help me ?
  Helmut

  Here is the error, in more details:
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> ORCL.WORLD starting
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> ORCL.WORLD connect as user "SYS", password is supplied, SYSDBA, PRELIM_AUTH
  Mon Sep 19 22:49:59 [srvr1] <DB_RES>  using bequeath
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> ORCL.WORLD OCIServerAttach attach string "(DESCRIPTION=(ADDRESS=(PROTOCOL=BEQ)(PROGRAM=oracle)(ARGV0=oracleORCL)(ARGS='(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))'))(CONNECT_DATA=(SID=ORCL)(CID=(PROGRAM=C:\WINDOWS\cluster\resrcmon.exe)(HOST=srvr1)(USER=DOMAIN\userservice))))"
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> ORCL.WORLD ***** OCI routine OCIServerAttach Bequeath returned error -1 - OCI_ERROR
  Mon Sep 19 22:49:59 [srvr1] <COMMON> ORA-12631: Username retrieval failed
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> ORCL.WORLD disconnect
  Mon Sep 19 22:49:59 [srvr1] <DB_RES> Event start
  Oracle Fail Safe resource ORCL.WORLD failed to start.
  ORA-12631: Username retrieval failed