topic One User - Multiple Groups - ACS4.2 in Network Access Control

One User - Multiple Groups - ACS4.2

Sohail Muhammad — Mon, 11 Mar 2019 03:34:54 GMT

Hi All,

Is it possible that one of the AD user who is already a member of multiple groups in AD, can work in the same way with ACS 4.2? Actually, my client has created multiple groups on AD like IT-Group, Corp-Group and VIP-Group, and these groups are mapped on ACS. Now we are authenticating the users with corresponding SSID over Wireless network by creating NAR with which matches DNIS (SSIDs are same as AD Groups). Some of the users are member of all 3 or 2 groups, but we have observed the user who is member of 2 or more groups is always authenticated with the 1 group that is on ACS. Is it the limitation of ACS4.2?

Regards,

Sohail

One User - Multiple Groups - ACS4.2

Ravi Singh — Sun, 30 Jun 2013 08:08:22 GMT

I don't think there is any way to achieve this task. You can say this is limitation of ACS.

Re: One User - Multiple Groups - ACS4.2

Jatin Katyal — Sun, 30 Jun 2013 12:28:46 GMT

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. When you configure an ACS group mapping based on group set membership, you can add one or many external user database groups to the set. For ACS to map a user to the specified ACS group, the user must match all external user database groups in the set. It actually work as a AND operator so if user satisfy the condition, it will work.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

Group-Mapping with ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940485

~BR
Jatin Katyal

**Do rate helpful posts**

One User - Multiple Groups - ACS4.2

Amjad Abdullah — Mon, 01 Jul 2013 08:11:59 GMT

Hi,

Group mapping on ACS maps the user to one and only one group. So, a specific user can be only a member of one ACS group at any specific time.

If you are using group mapping to map the groups from external DB (AD) then the mapping goes sequentially as described by Jatin above. The first match assigns the group.

So, if a user is a member of both AD groups Corp and VIP, it will be mapped to the first one appears in the group mapping configuration.

If you want the mapping to always work you better make users part of specific group amont the three that you use or to prioterize the order of the mapping which satisfies your requirement. i.e. if a user part of all gropus and you want that one to be a part of VIP only in this case, put the VIP group mapping configuration first followed by other group mappings.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

One User - Multiple Groups - ACS4.2

Sohail Muhammad — Sat, 06 Jul 2013 05:59:44 GMT

So does ACS 5.x version have some flexibility to achieve this goal? With Rule-Based Policy?

Regards,

Sohail

One User - Multiple Groups - ACS4.2

Jatin Katyal — Sat, 06 Jul 2013 11:07:51 GMT

Yes, with ACS 5.x you do have this flexibility ane what you're thinking can be done. With ACS 5.x

You can select active directory group under customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add.

You can select AD1:ExternalGroup and there you have 2 options Contains Any or All. This work like OR / AND operator that you can select based on your requirement.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/access_policies.html#wp1064976

~BR
Jatin Katyal

**Do rate helpful posts**

One User - Multiple Groups - ACS4.2

Sohail Muhammad — Sat, 06 Jul 2013 13:41:16 GMT

Thanks Jatin for your reply. But I just got a reply from Cisco TAC engineer that the same can be done on ACS 4.2 with configuring Group Set for external Database groups. I tried to find out the configuration method but only manage to find the following:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940457

Can you guide me how to configure Group Set?

Re: One User - Multiple Groups - ACS4.2

Jatin Katyal — Sat, 06 Jul 2013 14:24:34 GMT

Please understand this example:

For example, a user named Mary is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer.

- Mapping A assigns to ACS Group 2 users who belong to all three groups of which Mary is a member.

- Mapping B assigns to ACS Group 1 users who belong to the Engineering and Marketing groups.

- Mapping C assigns to ACS Group 3 users who belong to the Engineering Group.

ACS GROUP AD EXTERNAL GROUP

A. Group 2 Engineering, Marketing and Managers

B. Group 1 Engineering, Marketing

C. Group 3 Engineering

- If Mapping B is listed first, ACS authenticates Mary as a user of Group 1 and she is be assigned to Group 1, rather than Group 2 as managers should be.

- A user must match all the groups in the Selected list so that ACS can use this group set mapping to map the user to an ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to an ACS group.

- Order of group mapping is very important.

Now, please let me know if you've some other requirement.

~BR
Jatin Katyal

**Do rate helpful posts**

Re: One User - Multiple Groups - ACS4.2

Jatin Katyal — Sat, 06 Jul 2013 14:32:27 GMT

I think you've asked the same question in different section. let's troubleshoot on a single post, that would avoid confusion.

~BR
Jatin Katyal

**Do rate helpful posts**