09-13-2012 03:52 AM - edited 03-10-2019 07:32 PM
Hi,
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide.
However when ever my AD users are authenticating they are getting the membership of default group as configured in "\Default" profile.
I am using TACACS+ protocol in my routers and switches for authentication.
Please let me know whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol.
If it works with TACACS+ please let me know what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
Solved! Go to Solution.
09-13-2012 07:50 AM
Hi,
Can you post a screenshot of your group mapping confiiguration. This will work with Tacacs.
Thanksm
Tarik Admani
*Please rate helpful posts*
09-17-2012 12:04 AM
Satya:
Group mapping should work with either RADIUS or TACACS+.
Tarik requesting a screenshot because we believe that there is something wrong with your configuration. a screenshot should be handy to detect what is configured incorrectly.
waiting for your screenshot. ;-)
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
09-13-2012 07:50 AM
Hi,
Can you post a screenshot of your group mapping confiiguration. This will work with Tacacs.
Thanksm
Tarik Admani
*Please rate helpful posts*
09-17-2012 12:04 AM
Satya:
Group mapping should work with either RADIUS or TACACS+.
Tarik requesting a screenshot because we believe that there is something wrong with your configuration. a screenshot should be handy to detect what is configured incorrectly.
waiting for your screenshot. ;-)
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
09-17-2012 02:41 AM
Dear AmJad & Tarik,
Thanks for your help. When I got confirmation from Tarik it works with Tacacs I verified the RA logs throughly for each individual user authentication. Post that I found AD reply does not contain the desired group membership because of which the problem was occuring. I made the maping on basis of AD reply and found it is working fine.
Thanks you very much for helping me :-)
Regards,
Satya Mishra.
09-17-2012 03:51 AM
Satya Mishra:
Great news. glad that everything is working now.
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide