https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888502#M202751 <HTML><HEAD></HEAD><BODY><P>What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.</P><P></P><P>Here are a list of bugs in patch 3 that are fixed: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113</A></P><P></P><P>Here are a list of bugs fixed in patch 4 - </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684</A></P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Wed, 02 May 2012 07:32:07 GMT Tarik Admani 2012-05-02T07:32:07Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888501#M202750 <P>Hi,</P><P></P><P>I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.</P><P></P><P>What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.</P><P></P><P>It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.</P><P></P><P>I tried several configuration choices from : AD1:ExternalGroups contains any &lt;string showing in AD&gt;, AD1:memberOf &lt;group&gt;.</P><P></P><P>Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?</P><P></P><P>Thank you,</P><P>Sami</P> Mon, 11 Mar 2019 02:03:25 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888501#M202750 Sami Abunasser 2019-03-11T02:03:25Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888502#M202751 <HTML><HEAD></HEAD><BODY><P>What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.</P><P></P><P>Here are a list of bugs in patch 3 that are fixed: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113</A></P><P></P><P>Here are a list of bugs fixed in patch 4 - </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684</A></P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Wed, 02 May 2012 07:32:07 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888502#M202751 Tarik Admani 2012-05-02T07:32:07Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888503#M202752 <HTML><HEAD></HEAD><BODY><P> Tarik,</P><P></P><P>I am running the latest code patch:</P><P></P><P>Version 5.3.0.40.4</P><P>Last Patch : 5-3-0-40-4 </P><P></P><P>Thank you,</P><P>Sami</P></BODY></HTML> Wed, 02 May 2012 18:51:35 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888503#M202752 Sami Abunasser 2012-05-02T18:51:35Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888504#M202753 <HTML><HEAD></HEAD><BODY><P>Hi, I'm facing similar issue. In my case, the identity group won't match the authorization profile i defined. Is it a know bug and Cisco is working with a fix with this?</P><P>Thanks.</P></BODY></HTML> Tue, 24 Jul 2012 21:44:15 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888504#M202753 cybernetops 2012-07-24T21:44:15Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888505#M202754 <HTML><HEAD></HEAD><BODY><P>So the question is why do you want to use identity groups to accomplish this? You can use the AD groupd directly in the authorization policies and set the levels of access accordingly, bypassing this extra step of identity group mappings. There might be a legit reason why you still need group mapping but if you are hitting a bug then try just going straight to AD for group matches.</P><P></P><P>Most people think that ACS 5.x must work the same as 4.x with the group mapping being required when in 5.x its optional.</P><P></P><P>Jim Thomas <BR />Cisco Security Course Director <BR />Global Knowledge <BR />CCIE Security #16674</P></BODY></HTML> Tue, 24 Jul 2012 22:53:53 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888505#M202754 Jim Thomas 2012-07-24T22:53:53Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888506#M202755 <HTML><HEAD></HEAD><BODY><P>Ok, my case is like this.</P><P>I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)</P><P>I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.</P><P>In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.</P><P>Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.</P><P>I have a case with Cisco engineer now and still in the middle to sort things out.</P><P>The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.</P><P>Wondering whether there is a fix for this.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 25 Jul 2012 14:43:23 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888506#M202755 cybernetops 2012-07-25T14:43:23Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888507#M202756 <HTML><HEAD></HEAD><BODY><P>I found a solution for my case -&gt; identity store sequence.</P><P>By adjusting the identity store sequence, i manage to fulfill my environment for group level downloadable ACLs.</P><P>I'll leave the comment here for other's reference <SPAN __jive_emoticon_name="happy"></SPAN></P><P>Thanks-</P></BODY></HTML> Wed, 25 Jul 2012 18:42:40 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888507#M202756 cybernetops 2012-07-25T18:42:40Z https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888508#M202757 <HTML><HEAD></HEAD><BODY><P>Hello Netops.</P><P></P><P>could you explain your solution a little bit more? </P><P></P><P>regards / Karsten</P></BODY></HTML> Tue, 31 Jul 2012 09:41:20 GMT https://community.cisco.com/t5/network-access-control/acs-5-3-group-mapping-based-on-ad-group-membership/m-p/1888508#M202757 Karsten Jaschultowski 2012-07-31T09:41:20Z