Solved: ACS 5.2 assigning permission with nested LDAP groups

Andrew Bailey · ‎06-13-2011

I have a Cisco Secure ACS 5.2 on a VM. We are using it to for administrative access to our Cisco equipment with TACACS+. I am using LDAP to authenticate with acitive directory. I currently have it working when a user is directly in the group that is assigned permissions. I am changing the way we assign group permissions and have created some nested groups.

For example:

-User1 is a member of group1

-group1 is a member of "group2"

I map group2 to have access to my devices. However User1 is not getting mapped to the right group and is denied access.

When I go to monitoring and reports, and view TACACS+ authentication details, under other attributes where it shows the external groups the user is a member of, I do not see group2, only group1.

However when User1 is a member of group2 directly, the user is able to logon.

Does the ACS 5.2 not support authorizing permissions using nested groups this way?

Jatin Katyal · ‎06-13-2011

Nested group mapping is not supported with LDAP (because users only contain the memberOf attribute of groups right above them, not nested). This is a deafult behaviour when we use nested groups with LDAP. You need to add the subgroups to the ACS and add those to respective authorization rules as well.

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

Jatin Katyal · ‎06-13-2011

Nested group mapping is not supported with LDAP (because users only contain the memberOf attribute of groups right above them, not nested). This is a deafult behaviour when we use nested groups with LDAP. You need to add the subgroups to the ACS and add those to respective authorization rules as well.

Regards,

Jatin

Do rate helpful posts-

~Jatin