topic Re: User Multiple Active Directory Group Membership Mapping in Network Access Control

User Multiple Active Directory Group Membership Mapping

dumlutimuralp — Mon, 11 Mar 2019 00:34:01 GMT

Hi all,

We got ACS 4.2 and two types of user access to our network :

1_ We got some users in "CiscoAdmins" Active Directory Group, corresponding mapped Cisco ACS group is "Switch Admins".

2_ We also have some users in "VPN_Users" Active Directory Group, corresponding mapped Cisco ACS group is "VPN_Users".

In "Order mapping" page on Cisco ACS 4.2, we put tte "CiscoAdmins" Active Directory Group Mapping on top of "VPN_Users" Active Directory Group mapping. So what happens is, if a user belongs to both "CiscoAdmins" and "VPN_Users" groups in Active Directory, the users always goes into "Switch_Admins" group in Cisco ACS.

However for some users (who belong to both groups in Active Directory) we need to apply some IP assignment and specific authorization.

Any suggestiongs are welcome.

thanks in advance.

Dumlu

Re: User Multiple Active Directory Group Membership Mapping

aneelaka — Fri, 12 Nov 2010 01:35:42 GMT

I see that few users in AD belong to both group, follow the below steps to meet your criteria

Here we assume the two groups on AD are Wireless and VPN 

 
Please follow the below suggestion: 
 
To achieve this 
1.    we can create 3 groups on the ACS (1) Wireless , 2) 
        VPN 3) Wireless+VPN, 
2.    then in Windows group mapping 
  Wireless+VPN (on ACS) MAPs to two groups Wireless on AD and VPN on AD, 
 then Wireless(ACS) maps to (Wireless on AD),
 VPN (ACS) maps to (VPN) on AD, 

3) Ensure that the Mapping order should be in the following order:
   1) Wireless+VPN group (on ACS) MAPs to two groups on AD Wireless on AD and VPN on AD.
   2) Wireless(ACS) maps to (Wireless on AD).
   3) VPN (ACS) maps to (VPN) on AD

Re: User Multiple Active Directory Group Membership Mapping

dumlutimuralp — Fri, 12 Nov 2010 17:42:37 GMT

Hi ,

Thanks for getting back. Havent tried your suggestion so far, but curious, how does it work if I map two different AD groups ("wireless", "vpn" to the same ACS group (wireless+vpn).

I thought when AD sends an authenticaton result message to ACS, it also sends the AD group names which that user belongs to.

So ACS receives that , that specific user is a member of "wireless" , and also member of "vpn" AD group. Whichever group name ACS reads first, that user should belong to the corresponding ACS group.

But what you are actually saying is if I map a specific ACS group ("wireless+vpn") to two different AD groups, ACS checks the authentication result message from AD server for both group names ?

Am I getting this correct ?

Thanks a lot.

Dumlu

Re: User Multiple Active Directory Group Membership Mapping

aneelaka — Fri, 12 Nov 2010 21:26:08 GMT

Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

Note: Please rate the answer if it helped

Re: User Multiple Active Directory Group Membership Mapping

dumlutimuralp — Fri, 12 Nov 2010 21:37:36 GMT

well apparently I havent done my homework. thanks a lot aneelaka. youve been great help !

Dumlu