topic Re: ACS 5.2 group mapping with LDAP external identity store in Network Access Control

ACS 5.2 group mapping with LDAP external identity store

Andrew Bailey — Mon, 11 Mar 2019 01:06:10 GMT

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.

I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.

On the directory groups page I have entered the groups according to the required format.

cn=groupname1,ou=groups,dc=abc,dc=com

I have a rule based result selection under group mapping. I have two rules in the format below.

Conditon

LDAP:Externalgroups groupname1

Result

Identitygroup1

I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

I can't seem to figure out why this is going on. I would greatly appreciate any help in troubleshooting.

Re: ACS 5.2 group mapping with LDAP external identity store

jrabinow — Thu, 19 May 2011 20:43:56 GMT

Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"

Select TACACS Authorization and see the authorizations that occured today

If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered

Re: ACS 5.2 group mapping with LDAP external identity store

Andrew Bailey — Fri, 20 May 2011 11:20:12 GMT

Yes, that is where I am seeing the Identity group assigned is "Other" when it should be "intentitygroup1" or "intentitygroup2"

Under Other attributes I see all the the external groups that my user account is a member of, including my "grouname1" that I have defined in the LDAP Directory groups tab and that mapped to my identity group in my rule based group mapping.

It looks like this

ExternalGroups=CN=groupname1,OU=Groups,DC=abc,DC=com

So LDAP is looking up my group membership fine... it's just not applying in my group mapping policy.

Re: ACS 5.2 group mapping with LDAP external identity store

Andrew Bailey — Fri, 20 May 2011 11:45:26 GMT

I figured out the problem...

On the LDAP directory groups page, my group was not displayed in the first 100 groups shown, so I could not select it and had to type it out. It turns out that it is case sensitive.

This doesn't work:
cn=groupname1,ou=groups,dc=abc,dc=com

But this does:

CN=Groupname1,OU=Groups,DC=abc,DC=com

Thanks for your help!