Re: ACS 5.1.0.44 Group Mapping Syntax

bradleyordner · ‎02-01-2011

Hi,

We are currently testing a new ACS Deployment.

We are just testing TACACS authentication at the moment. We would like to map one AD Group, known as DeviceAccess1 to TACACS authentication.

Now if we make our condition - SAMaccount name = brad and I login with brad it works.

If i modify condition to be AD Group DeviceAccess1 and brad is a member of that group it fails. We believe that this is not matching , maybe the syntax for the group is wrong? Do we need to onclude the entire group - CN= etc etc etc

Thanks

willgraham · ‎02-01-2011

Yes, I have exactly the same problem - I can use all atributes successfully in AD for the authorization eg AD1:name.

When I use the customize the AD1:memberof attribute it always fails.

I also am not sure how to troubleshoot this.

Any help would be appreciated.

Will

Jatin Katyal · ‎02-02-2011

The format looks incorrect to me. When you configure AD,there is an option called Directory Groups >> click on it.

Selecting an AD Group

Use this page to select groups that can then be available for policy conditions.

Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.

For more information, you may visit the below listed URL

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999

Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.

A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups and another custom condition for each attribute selected in the Directory Attributes page (for example, AD1:cn).

HTH

Rgds, Jatin

Do rate helpful posts~

~Jatin

bradleyordner · ‎02-02-2011

HI,

Thanks for your reply. We are trying that as we speak, will let you know how we go.

Not sure if this is a AD or ACS issue but when we click select from directory groups it takes a very long time to display groups. Maybe our AD is too big?

It also takes just as long to search once the pade is displayed.

Thanks

Brad

jrabinow · ‎02-02-2011

There could be an issue with memberOf attribute if it is a multi-valued attribute

ACS 5.1 does not support multi valued attributes and when such an attribute is encountered its value is not retrieved and so will not match on policy

willgraham · ‎02-02-2011

It takes too long to browse through AD - when the window finally comes up the search 'go' button does not match any values.

There is > 100 at the start.

jrabinow - how would I know if there is an issue with the multi valued attribute - sounds like I could be hitting that as other variables work.

What is the workaround? Should I upgrade to 5.2?

Will

Jatin Katyal · ‎02-02-2011

Jonny: You're correct ACS doesn't support multi-valued attribute.

Just wanted to share with you guys, this is not the case with memberOf attributes. It works perfect with memberOf attribute, I've personally tested that.

I've seen tthe same issue where ACS takes sometime to fetch the groups approx 4 minutes.

When we press the 'select' button to fetch/retrieve the AD groups, ACS uses scripts which called "ACS_AD_Runner.sh" uses Centrify in order to fetch groups. This seems to be a DNS issue. Could you please get the "SH RUN" from the ACS and complete hierarchy of the AD. We need to check DNS servers and how quick they are resolving the queries.

Get the o/p of this as well

CDCACS01/admin# nslookup ********** ------------- (FQDN of ACS)

If you want to troubleshoot this issue then you also need to gatherthe following debugs

ACSManagement.log and ACSADAgent.log

If you want to bypass everything then apply patch 3 for ACS 5.1.0.44 or upgrade your ACS to 5.2

Upgrading ACS 5.1 to 5.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_upg.html#wp1167547

ACS patch Install on 5.1

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1207205

Here is a link to download the latest 5.1 patch (patch 3).
http://tools.cisco.com/squish/1F441B

Filename: 5-1-0-44-3.tar.gpg

Readme: http://www.cisco.com/web/software/282766937/28141/Acs-5-1-0-44-3-Readme.html

Hope this helps.

Rgds, Jatin

Do rate helpful posts~

~Jatin

jrabinow · ‎02-03-2011

To determine whether is a multi value attribute issue best to look at the values assigned to the user within AD

Upgrading to 5.2 will not help since there is no additional support in this area

willgraham · ‎02-03-2011

How do I find out if a variable is multi in AD?

willgraham · ‎02-03-2011

This does not make complete sense to me

memberOfThe memberOf attribute is a multi-value attribute that contains the list of distinguished names for groups that contain the group as a member. This attribute lists the groups beneath which the group is directly nested—it does not contain the recursive list of nested predecessors. For example, if group D were nested in group C and group B and group B were nested in group A, the memberOf attribute of group D would list group C and group B, but not group A.

Jatin Katyal · ‎02-03-2011

The issue you're facing doesn't seems to be a multi-valued attribute one. This is more of DNS issue. Did you get a chance to collect the logs?

Rgds, Jatin

Do rate helpful posts~

~Jatin

willgraham · ‎02-03-2011

Single valued attributes such as "sAMAccountName" work perfectly!!!!!!!!!!

I think the problem is to do with MemberOf being a multi valued attribute.