SSID To Group Mapping With ACS 5.1

Similar Messages

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• Rules for AD Groups mapping with ECC roles in GRC

  Hi All,
  I'm actually looking at an option to define the Rules in GRC where i can map AD (LDAP) groups to ECC roles. Is it possible? Could you please let me know if i can achieve this with Rule Architect in GRC 5.3 OR by any other mean.
  Regards
  - V

  Gurus,
  Any thoughts on this?
  Regards
  Vaib

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• 802.1x with ACS does not correctly work

  Hello
  I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
  I have a group mapping in ACS configured which points to a small group in the ADS.
  The groupmapping in ACS points to a specific group in ACS.
  There I've configured the following:
  [009\001] cisco-av-pair
  - ssid=xx-200 (the name of the SSID the clients connect)
  [006] Service-Type
  - Login
  [007] Framed-Protocol
  - PPP
  [025] Class
  - OU=pers; (this is not the special group where those users are in, but they are also in this one)
  [064] Tunnel-Type
  - Tag 1 Value Vlan
  [065] Tunnel-Medium-Type
  - Tag 1 Value 802
  [081] Tunnel-Private-Group-ID
  - Tag 1 Value 200 (the Vlan in which they should go)
  The good thing is, authentication with username password works.
  The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
  The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
  The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
  Here the WDS configuration:
  aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
  server 10.1.1.30 auth-port 1645 acct-port 1646
  server 10.1.2.30 auth-port 1645 acct-port 1646
  aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
  aaa authentication enable default enable
  aaa session-id common
  radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server retransmit 2
  radius-server timeout 18
  radius-server deadtime 1
  radius-server vsa send accounting
  wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
  wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
  ssid xx-200
  The accesspoint config:
  aaa authentication login METHOD_RAD_WDS_CLIENT group radius
  aaa authentication enable default enable
  aaa session-id common
  dot11 ssid xx-200
  vlan 200
  authentication open eap METHOD_RAD_WDS_CLIENT
  authentication network-eap METHOD_RAD_WDS_CLIENT
  authentication key-management wpa
  interface Dot11Radio0
  encryption vlan 200 mode ciphers aes-ccm
  broadcast-key vlan 200 change 60
  ssid xx-200
  interface Dot11Radio0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  no cdp enable
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface FastEthernet0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  no bridge-group 200 source-learning
  bridge-group 200 spanning-disabled
  I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
  Thanks,
  pato

  I have finally found something to look into :/
  000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
  000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
  000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
  000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
  This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• ACS group mapping

  hello
  we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
  so we map AD groups to ACS groups and we specify access restriction in ACS groups.
  now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
  so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
  however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
  so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

  i can't see how NAP can resolve my issue.
  suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
  AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
  AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
  now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
  if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• Move group mapping ACS 3.3 or 4.0

  Hi,
  is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

  In ACS 3.3(11):
  External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
  This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

• ACS Group to NT Group mapping

  Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
  Tom

  You won’t be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.

• Can't auth to Nortels networks devices using RADIUS with ACS 5.1

  Hi,
  I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
  After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
  I can't manage to login using RADIUS and i get the following message.
  "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
  But in my ACS View, I can see : "Authentication succeeded."
  I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
  I've got no problems with RADIUS Auth using other brand devices
  Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
  Regards.

  Are you sure that setting up a compound condition will help ?
  To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
  Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
  Here is my steps in the ACS View
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new  session
  Evaluating Service Selection  Policy
  15004  Matched rule
  15012  Selected Access  Service - Default Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity  Store - Internal Users
  24210  Looking up User in  Internal Users IDStore - radius
  24212  Found User in Internal  Users IDStore
  22037  Authentication Passed
  Evaluating Group Mapping  Policy
  Evaluating Exception  Authorization Policy
  15042  No rule was matched
  Evaluating Authorization  Policy
  15006  Matched Default Rule
  15016  Selected Authorization  Profile - Permit Access
  11002  Returned RADIUS  Access-Accept
  So I think the ACS does its job

• XSLT Mapping with Java Enhancement

  Hi All
  I am working on XSLT Mapping with Java Enhancement.
  To do this scenario i have followed the following link.
  http://help.sap.com/saphelp_nw04/helpdata/en/55/7ef3003fc411d6b1f700508b5d5211/frameset.htm
  As per the above link I have created Source and Target Data Types , Message Types , Mesage Interfaces, XSLT Mapping (using the transaction XSLT_TOOL) and Interface Mapping part and configred a simple file to file scenario in the ID part.
  Apart from this I have wirte the java code, compile the java code, create the jar file using .java and .class file and after creating the jar file import the .jar file in the imported archive of the IR..
  when I am trying to execute the scenario I am getting the successful message in SXMB_MONI but the target file is having the payload as given below.
  <?xml version ="1.0" encoding="UTF-8"?>
  <name xmlns:javamap="java:com.company.group.MappingClass"/>
  And as per the XSLT mapping the payload should be as below
  <?xml version ="1.0" encoding="UTF-8"?>
  <person>
  <name>Rinku Gangwani</name>
  </person>
  I have also followed the following blog link but still i am getting the same issue
  /people/pooja.pandey/blog/2005/06/27/xslt-mapping-with-java-enhancement-for-beginners
  could you please tell me what can be the reason that i am getting the blank targt field values in the payload.
  Thanks
  Rinku Gangwani

  Hi,
    The Transaction code XSLT_TOOL for ABAP xslt mapping.But the Java Enhancement is used for normal xslt mapping which we created using Stylus Studio.You can not access the Java Enhancement in ABAP xslt mapping.
  If you want to use Java Enhancement in xslt mapping then create a xslt mapping using Stylus Studio and save the file as .xsl and zip the .xsl and import to import archive.
  Regards,
  Prakasu.M
  Edited by: prakasu on May 28, 2009 1:46 PM

• 0GR_VAL_PD KF has not mapped with source in 0Pur_C01 but value comes

  HI All
  I have problem with 0GR_VAL_PD kf in 0PUR_C01 cube. 0GR_VAL_PD KF has not mapped with source in 0Pur_C01 but in report level, value is coming for purchase organisation,material group . 
  But GR value as at posting date (0GR_VAL_PD)value not coming for particular material group or purch. org. but some days before, values were coming for particular material group or purch. org..
  so need your help.
  Thanks n Regards,
  Gaurav Sekhri
  Edited by: gaurav sekhri on Aug 18, 2010 11:41 AM
  Edited by: gaurav sekhri on Aug 18, 2010 11:43 AM

  Hi Susan
  Which datasource you are using at present. Normally 0PUR_C01 gets loaded from 2LIS_02_ITM and 2LIS_02_SCL. The keyfigure that you have mentioned will come from 2LIS_02_SCL with the code that you have written.
  The code that you have written should work. Please check if the code is in the transformation from 2LIS_02_SCL.
  Share the details on why do you think the solution didn't work.
  Regards
  Karthik