SSID To Group Mapping With ACS 5.1
Hi ;
I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
I implemented the same with ACS 4.2 (Screenshot attached) . Now the requirement is to implement the same concept in ACS 5.1. Could you please help me on this.
If you go under Access Policies and Service Selection Rules and check you hit count( you may need to refresh if you just tried connecting) see if the rule is incrementing.
If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic. If users credentials are working, thats a separate issue.
For the Access service you created, that your selection rule feeds, check the following
Identity will be set to internal users
Authorization you will need to have hit custom and selected "Identity Group" as a selector" Then when you make the rule, check that box and set it to your Staff Group. Set the default at the bottom of the page to Deny Access.
Similar Messages
-
Issue with group mapping in ACS.
When we map AD group in ACS with ACS group it coming as AD group and * (As below â ,* â ) , Because of this * everybody is able to login irrespective of his AD group.
Please suggest way to only add the NT Group alone without the *.Actually '*' means something else.
If you have a group on AD say 'Alfa'
when you do a mapping on ACS, you'll see it like this,
'Alfa', * ------- Group x
Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
Map them to .
Then only those will be able to log in, for whom you have the mapping defined on ACS.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
Check Step 8,
"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
Regards,
Prem -
User in a windows group - mapping to acs group appears not be working
I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
Any suggestion?Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
1. External User Databases - Database Configuration - Windows Database - Configure
Make sure your domain is listed on moved to the Domain List section
2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
3. External User Databses - Unknown User Policy
Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
Check âThe database in which the user profile is heldâ radio dial in the Configure Enable Password Behaviour section
Hope that helps! -
Rules for AD Groups mapping with ECC roles in GRC
Hi All,
I'm actually looking at an option to define the Rules in GRC where i can map AD (LDAP) groups to ECC roles. Is it possible? Could you please let me know if i can achieve this with Rule Architect in GRC 5.3 OR by any other mean.
Regards
- VGurus,
Any thoughts on this?
Regards
Vaib -
RSA authentication with LDAP group mapping
Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott -
802.1x with ACS does not correctly work
Hello
I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
I have a group mapping in ACS configured which points to a small group in the ADS.
The groupmapping in ACS points to a specific group in ACS.
There I've configured the following:
[009\001] cisco-av-pair
- ssid=xx-200 (the name of the SSID the clients connect)
[006] Service-Type
- Login
[007] Framed-Protocol
- PPP
[025] Class
- OU=pers; (this is not the special group where those users are in, but they are also in this one)
[064] Tunnel-Type
- Tag 1 Value Vlan
[065] Tunnel-Medium-Type
- Tag 1 Value 802
[081] Tunnel-Private-Group-ID
- Tag 1 Value 200 (the Vlan in which they should go)
The good thing is, authentication with username password works.
The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
Here the WDS configuration:
aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
server 10.1.1.30 auth-port 1645 acct-port 1646
server 10.1.2.30 auth-port 1645 acct-port 1646
aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
aaa authentication enable default enable
aaa session-id common
radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server retransmit 2
radius-server timeout 18
radius-server deadtime 1
radius-server vsa send accounting
wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
ssid xx-200
The accesspoint config:
aaa authentication login METHOD_RAD_WDS_CLIENT group radius
aaa authentication enable default enable
aaa session-id common
dot11 ssid xx-200
vlan 200
authentication open eap METHOD_RAD_WDS_CLIENT
authentication network-eap METHOD_RAD_WDS_CLIENT
authentication key-management wpa
interface Dot11Radio0
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 200 change 60
ssid xx-200
interface Dot11Radio0.200
description
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
interface FastEthernet0.200
description
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
Thanks,
patoI have finally found something to look into :/
000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
This is with various debugging active on the WDS. And this might be the reason why it doesn't work. -
ACS 5.3 Group Mapping based on AD group membership
Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
SamiOk, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks. -
ACS 3.3 Windows group mapping problem
Hi,
I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
Thanks,
PeterYou need to set up proxy.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
There is a known bug, CSCsi04187
PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
Conditions:
The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
Workaround:
If the supplicant has the option you can send the macine name in hos/ format.
Many supplicants do not have this option.
It is to be fixed for ACS 4.2 release.
Regards,
~JG -
hello
we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
so we map AD groups to ACS groups and we specify access restriction in ACS groups.
now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!i can't see how NAP can resolve my issue.
suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80! -
ACS Group mapping and restrictions
hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
In this scenario, it is very important to understand how ACS group mapping works.
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
NOTE:
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Regards,
~JG
Do rate helpful posts -
Move group mapping ACS 3.3 or 4.0
Hi,
is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..In ACS 3.3(11):
External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
This should bring you to your group listings...click Order Mappings then you can move your groups up or down. -
Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
TomYou wont be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.
-
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
XSLT Mapping with Java Enhancement
Hi All
I am working on XSLT Mapping with Java Enhancement.
To do this scenario i have followed the following link.
http://help.sap.com/saphelp_nw04/helpdata/en/55/7ef3003fc411d6b1f700508b5d5211/frameset.htm
As per the above link I have created Source and Target Data Types , Message Types , Mesage Interfaces, XSLT Mapping (using the transaction XSLT_TOOL) and Interface Mapping part and configred a simple file to file scenario in the ID part.
Apart from this I have wirte the java code, compile the java code, create the jar file using .java and .class file and after creating the jar file import the .jar file in the imported archive of the IR..
when I am trying to execute the scenario I am getting the successful message in SXMB_MONI but the target file is having the payload as given below.
<?xml version ="1.0" encoding="UTF-8"?>
<name xmlns:javamap="java:com.company.group.MappingClass"/>
And as per the XSLT mapping the payload should be as below
<?xml version ="1.0" encoding="UTF-8"?>
<person>
<name>Rinku Gangwani</name>
</person>
I have also followed the following blog link but still i am getting the same issue
/people/pooja.pandey/blog/2005/06/27/xslt-mapping-with-java-enhancement-for-beginners
could you please tell me what can be the reason that i am getting the blank targt field values in the payload.
Thanks
Rinku GangwaniHi,
The Transaction code XSLT_TOOL for ABAP xslt mapping.But the Java Enhancement is used for normal xslt mapping which we created using Stylus Studio.You can not access the Java Enhancement in ABAP xslt mapping.
If you want to use Java Enhancement in xslt mapping then create a xslt mapping using Stylus Studio and save the file as .xsl and zip the .xsl and import to import archive.
Regards,
Prakasu.M
Edited by: prakasu on May 28, 2009 1:46 PM -
0GR_VAL_PD KF has not mapped with source in 0Pur_C01 but value comes
HI All
I have problem with 0GR_VAL_PD kf in 0PUR_C01 cube. 0GR_VAL_PD KF has not mapped with source in 0Pur_C01 but in report level, value is coming for purchase organisation,material group .
But GR value as at posting date (0GR_VAL_PD)value not coming for particular material group or purch. org. but some days before, values were coming for particular material group or purch. org..
so need your help.
Thanks n Regards,
Gaurav Sekhri
Edited by: gaurav sekhri on Aug 18, 2010 11:41 AM
Edited by: gaurav sekhri on Aug 18, 2010 11:43 AMHi Susan
Which datasource you are using at present. Normally 0PUR_C01 gets loaded from 2LIS_02_ITM and 2LIS_02_SCL. The keyfigure that you have mentioned will come from 2LIS_02_SCL with the code that you have written.
The code that you have written should work. Please check if the code is in the transformation from 2LIS_02_SCL.
Share the details on why do you think the solution didn't work.
Regards
Karthik
Maybe you are looking for
-
Search doesn't find apps in iOS 7
Since upgrading my latest 5th Gen iPod touch to iOS 7, spotlight search does not show any apps in results. Applications is definitely ticked in the settings, and I've tried deselecting and then reselecting, but still no apps come up in search results
-
Hi Experts, i am able to save the file on local disk but if i am trying to save another one it's replacing the first file. i know methods where in i can save any number of files at runtime. actually i am trying to save mini statements(banking softwar
-
Delivery & Invoice: Material Document Posting
Hi MM Gurus Our customer doesn't like Sales Order DO posting Cost of goods sold associated with Post goods issue material document. Reason , It could be couple of month before invoice is due & hence COGS entry will sit in P/L without accompaning entr
-
Is it possible to change the cursor position automatically when changing the language? For example: when changing from English to Hebrew the cursor will move from the right end to the left? Thanks, Amnon
-
Sync fails on a particular device everytime
My encryption "hand-shake" is failing. Therefore this device cannot sync. 1305304056789 Engine.Forms WARN Error decrypting record: Record SHA256 HMAC mismatch: should be 2355efb62a694cf659669feae580a03685b5228871f9145b291032ee638b5b3c, is c84321e18cd