https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086421#M152375 <HTML><HEAD></HEAD><BODY><P>No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules. </P><P></P><P>Also, do are you using ACS 4.x or 5.x?</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Fri, 09 Nov 2012 18:53:36 GMT nspasov 2012-11-09T18:53:36Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086418#M152297 <P>hi</P><P></P><P>Quick question about TACACS and a user that needs to be in more than 1 group</P><P></P><P>We have a networkAdmins group that is linked to the AD domain Admins group with a network admin in it</P><P></P><P>w then have another group for firewalls which is linked to firewall access group in AD one user is in both groups which have both been created using a manual mapping in TACACS but the user is only showing up in the NetworkAdmin group not in the firewall admin group</P><P></P><P>any ideas why the user is not showing up or is this even possible</P><P></P><P>thanks&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 02:45:29 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086418#M152297 John.Mason1978 2019-03-11T02:45:29Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086419#M152318 <HTML><HEAD></HEAD><BODY><P>Hello John-</P><P></P><P>You can have a user be part of more than one group. You just need to make sure that both of the groups are pulled from AD and then you can build your authorization rules based on that.</P><P></P><P>Let me know if this makes sense or if you need more details. </P></BODY></HTML> Thu, 08 Nov 2012 18:51:07 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086419#M152318 nspasov 2012-11-08T18:51:07Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086420#M152343 <HTML><HEAD></HEAD><BODY><P>Hi Neo</P><P></P><P>thanks for the fast reply</P><P></P><P>that makes sense</P><P></P><P>so my user for example currently is in the network admins group populated via AD but there are ACS local users in that group</P><P></P><P>if i remove the local users then the ad should populate both groups with my user</P></BODY></HTML> Fri, 09 Nov 2012 09:37:54 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086420#M152343 John.Mason1978 2012-11-09T09:37:54Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086421#M152375 <HTML><HEAD></HEAD><BODY><P>No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules. </P><P></P><P>Also, do are you using ACS 4.x or 5.x?</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Fri, 09 Nov 2012 18:53:36 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086421#M152375 nspasov 2012-11-09T18:53:36Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086422#M152414 <HTML><HEAD></HEAD><BODY><P>Yes I inherrited this system, its version 4 and this excercise has prompted us to redesign the acs</P><P></P><P>Thanks for your help</P></BODY></HTML> Fri, 09 Nov 2012 18:59:11 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086422#M152414 John.Mason1978 2012-11-09T18:59:11Z https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086423#M152444 <HTML><HEAD></HEAD><BODY><P>Those are always nice when you inherit these type of systems. I don't know if you have had any experience with 5.x but I highly recommend migrating to it. It is much nicer in terms of building blocks, logging, monitoring etc and it does not run on Windows <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 09 Nov 2012 19:04:18 GMT https://community.cisco.com/t5/network-access-control/tacacs-for-user-in-multiple-groups/m-p/2086423#M152444 nspasov 2012-11-09T19:04:18Z