User in a windows group - mapping to acs group appears not be working

Similar Messages

• What is wrong? The "show my windows and tabs from last time" has not been working these past two or three days. It was fine before. Ive changed nothing except the last update from you. Thank you.

  What is wrong? The "show my windows and tabs from last time" has not been working these past two or three days. It was fine before. Ive changed nothing except the last update from you. Thank you.

  Make sure that you do not use "Clear Recent History" to clear the "Browsing History" when Firefox is closed because that prevails and prevents Firefox from opening tabs from the previous session.
  * https://support.mozilla.com/kb/Clear+Recent+History
  It is possible that there is a problem with the files sessionstore.js and sessionstore.bak in the Firefox Profile Folder.
  Delete the files sessionstore.js and sessionstore.bak in the Firefox Profile Folder.
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  * http://kb.mozillazine.org/Profile_folder_-_Firefox
  * http://kb.mozillazine.org/Session_Restore
  * http://kb.mozillazine.org/sessionstore.js
  If you use cleanup software like CCleaner then make sure that Session is unchecked in the settings for the Firefox application.

• Issue with group mapping in ACS.

  When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.
  Please suggest way to only add the NT Group alone without the *.

  Actually '*' means something else.
  If you have a group on AD say 'Alfa'
  when you do a mapping on ACS, you'll see it like this,
  'Alfa', * ------- Group x
  Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
  It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
  As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
  Map them to .
  Then only those will be able to log in, for whom you have the mapping defined on ACS.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538
  Check Step 8,
  "The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
  Regards,
  Prem

• SSID To Group Mapping With ACS 5.1

  Hi ;
             I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
  I implemented the same with ACS 4.2 (Screenshot attached) .  Now the requirement is to implement the same concept in ACS 5.1.  Could you please help me on this.

  If you go under Access Policies and Service Selection Rules and check  you hit count( you may need to refresh if you just tried connecting) see  if the rule is incrementing.
  If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic.  If users credentials are working, thats a separate issue.
  For the Access service you created, that your selection rule feeds, check the following
  Identity will be set to internal users
  Authorization you will need to have hit custom and selected "Identity Group" as a selector"  Then when you make the rule, check that box and set it to your Staff Group.  Set the default at the bottom of the page to Deny Access.

• Cannot get bank verification window to work, smae fine in safari and cannot submit feed back as script appears not to work.

  e.g topping up friends mobile phone on orange.co.uk. Everything fine until bank card verification window appears. Enter details and return and scrip sends me back to start of transaction. No problem usinf Safari. I tried to send feedback but no reaction on hitting submit button. Happened on similar sites with version 4 but 3.5 no problem.

  Apple has barred Java from running on Macs, leaving companies that rely on Java plug-ins out in the cold.
  Apple blocked Java 7 Update 11 by adding it to the banned list in XProtect.
  This is the second time in two weeks that Apple has blocked Oracle's code from running on Macs. This time Java is blocked through Apple's XProtect anti-malware feature.
  Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Then in August Macs were again at risk due to a flaw in Java, this time around, there was good news for Mac users: Thanks to changes Apple has made, most of us were safe from the threat.
  Unwilling to leave its customers open to potential threats Apple has apparently decided it's safer to block Java entirely.
  Macs running OS X Snow Leopard and beyond are affected.

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• ACS group mapping

  hello
  we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
  so we map AD groups to ACS groups and we specify access restriction in ACS groups.
  now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
  so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
  however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
  so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

  i can't see how NAP can resolve my issue.
  suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
  AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
  AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
  now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
  if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• ACS user authenticating through Windows Database

  Hello,
  Please, i need a document/ guideline on how to configure ACS 4.2 user authenticating through Windows Database and the ACS server is running on an appliance.
  Please, help.
  Regards,
  Ethelbert

  Hi,
  If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
  The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
  tnx
  somishra

• ACS Group to NT Group mapping

  Can anyone tell me if the ACS server (2.6 Build 10) needs be in the domain (or a trusted domain) that you want to map your ACS groups to? My ACS server is a stand-alone server, not a member of any domain, but I cannot map users to groups anywhere except the local ACS NT Groups. Any help is appreciated.
  Tom

  You won’t be able to map your domain users/groups to the ACS database unless the server is on the domain. A standalone server will have a local security database only.

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• 802.1x with ACS does not correctly work

  Hello
  I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
  I have a group mapping in ACS configured which points to a small group in the ADS.
  The groupmapping in ACS points to a specific group in ACS.
  There I've configured the following:
  [009\001] cisco-av-pair
  - ssid=xx-200 (the name of the SSID the clients connect)
  [006] Service-Type
  - Login
  [007] Framed-Protocol
  - PPP
  [025] Class
  - OU=pers; (this is not the special group where those users are in, but they are also in this one)
  [064] Tunnel-Type
  - Tag 1 Value Vlan
  [065] Tunnel-Medium-Type
  - Tag 1 Value 802
  [081] Tunnel-Private-Group-ID
  - Tag 1 Value 200 (the Vlan in which they should go)
  The good thing is, authentication with username password works.
  The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
  The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
  The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
  Here the WDS configuration:
  aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
  server 10.1.1.30 auth-port 1645 acct-port 1646
  server 10.1.2.30 auth-port 1645 acct-port 1646
  aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
  aaa authentication enable default enable
  aaa session-id common
  radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server retransmit 2
  radius-server timeout 18
  radius-server deadtime 1
  radius-server vsa send accounting
  wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
  wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
  ssid xx-200
  The accesspoint config:
  aaa authentication login METHOD_RAD_WDS_CLIENT group radius
  aaa authentication enable default enable
  aaa session-id common
  dot11 ssid xx-200
  vlan 200
  authentication open eap METHOD_RAD_WDS_CLIENT
  authentication network-eap METHOD_RAD_WDS_CLIENT
  authentication key-management wpa
  interface Dot11Radio0
  encryption vlan 200 mode ciphers aes-ccm
  broadcast-key vlan 200 change 60
  ssid xx-200
  interface Dot11Radio0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  no cdp enable
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface FastEthernet0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  no bridge-group 200 source-learning
  bridge-group 200 spanning-disabled
  I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
  Thanks,
  pato

  I have finally found something to look into :/
  000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
  000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
  000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
  000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
  This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

• Intergrating ACS with user database in windows DC

  Please,
  I just installed and configured ACS on window 2003 server on my network. The next task is to integrate the user database in my DC with the ACS. I need you to tell me in steps what else that need to be done.The documentaion is not specific.
  (I heard about 'remote agent' please what is this,and is it required?)

  I think you can map your DC groups to ACS group
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940538
  M.

• Move group mapping ACS 3.3 or 4.0

  Hi,
  is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

  In ACS 3.3(11):
  External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
  This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.