https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529361#M274225 <HTML><HEAD></HEAD><BODY><P>Hi Austin,</P><P></P><P>Many thanks for your response. Actually my issue is not authentication failing, but authenticating non-it users from the IT group which I dont want. (actually, authentiating any users in AD to my devices).</P><P></P><P>I have attached the TACACS report for passed authentication of non it user. (Before the below changes)</P><P></P><P>Also I have removed the group mapping and added the AD1:ExternalGroups to under group mapping tap.but still no luck.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 09 Dec 2010 07:18:21 GMT pemasirid 2010-12-09T07:18:21Z https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529359#M274199 <P>Hi,</P><P></P><P>I have issue with AD group mapping with local ACS (5.1). The issue is that it is able to authenticate any users in the AD eventhough I have a map with local ACS group to a particular group of the AD. </P><P></P><P>here is my config:</P><P></P><P>1. Add two group of AD to Directory Group in the Active Directory section of ACS</P><P>2. in the Default Device Admin</P><P>&nbsp;&nbsp; - Identity: AD1</P><P>&nbsp;&nbsp; -group mapping: AD1:ExternalGroup (AD groupname) and Result: identity group: local ACS group</P><P>-&nbsp; Authorization profile:</P><P>&nbsp;&nbsp; identity group: acs local particular group </P><P>&nbsp;&nbsp; NDG:device type: all</P><P>&nbsp;&nbsp; NDG:location: ANY</P><P></P><P>Can someone explain me what I am missing here..?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 00:38:33 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529359#M274199 pemasirid 2019-03-11T00:38:33Z https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529360#M274213 <HTML><HEAD></HEAD><BODY><P>Hi pemasirid,</P><P></P><P>Can you send a report from the Monitoring and Reporting section of the ACS? Go to that section &gt; Reports &gt; AAA Protocol &gt; TACACS/Radius Authentication (whichever you are using) and click the details icon next to a failed authentication. Send the resulting information.</P><P><BR />Also you technically don't need the group mapping at all - you could delete that part and add the AD1:ExternalGroups directly to the access rules by clicking the customize button on that page. That could streamline the configuration a little.</P><P></P><P>Thanks,</P><P></P><P>Nate</P></BODY></HTML> Wed, 08 Dec 2010 23:26:39 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529360#M274213 Nate Austin 2010-12-08T23:26:39Z https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529361#M274225 <HTML><HEAD></HEAD><BODY><P>Hi Austin,</P><P></P><P>Many thanks for your response. Actually my issue is not authentication failing, but authenticating non-it users from the IT group which I dont want. (actually, authentiating any users in AD to my devices).</P><P></P><P>I have attached the TACACS report for passed authentication of non it user. (Before the below changes)</P><P></P><P>Also I have removed the group mapping and added the AD1:ExternalGroups to under group mapping tap.but still no luck.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 09 Dec 2010 07:18:21 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529361#M274225 pemasirid 2010-12-09T07:18:21Z https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529362#M274240 <HTML><HEAD></HEAD><BODY><P>Thanks for the clarification.</P><P></P><P>So its hitting the rule called "Network Device Authorization" and returning the "Full Access" Shell profile. What are the conditions for that rule? Can you send a screenshot of that page?</P><P></P><P>Thanks,</P><P></P><P>Nate</P></BODY></HTML> Thu, 09 Dec 2010 15:16:19 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-group-mapping-with-ad/m-p/1529362#M274240 Nate Austin 2010-12-09T15:16:19Z