Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3083
Views
0
Helpful
3
Replies

ACS 5.2 group mapping with LDAP external identity store

Andrew Bailey
Level 1
Level 1

‎05-19-2011 01:35 PM - edited ‎03-10-2019 06:06 PM

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.

I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.

On the directory groups page I have entered the groups according to the required format.

cn=groupname1,ou=groups,dc=abc,dc=com

I have a rule based result selection under group mapping. I have two rules in the format below.

Conditon

      LDAP:Externalgroups groupname1

Result

     Identitygroup1

I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

I can't seem to figure out why this is going on.  I would greatly appreciate any help in troubleshooting.

Labels:
0 Helpful
3 Replies 3

jrabinow
Level 7
Level 7

‎05-19-2011 01:43 PM

Suggest to go to "Monitoring & Reports > Reports > Catalog > AAA Protocol"

Select TACACS Authorization and see the authorizations that occured today

If you click on the details icon you should be able to see the actual LDAP groups that were retrieved in processing the request and so can see that the format/contents matches that which you entered

0 Helpful

Andrew Bailey
Level 1
Level 1
In response to jrabinow

‎05-20-2011 04:20 AM

Yes, that is where I am seeing the Identity group assigned is "Other" when it should be "intentitygroup1" or "intentitygroup2"

Under Other attributes I see all the the external groups that my user account is a member of, including my "grouname1" that I have defined in the LDAP Directory groups tab and that mapped to my identity group in my rule based group mapping.

It looks like this

ExternalGroups=CN=groupname1,OU=Groups,DC=abc,DC=com

So LDAP is looking up my group membership fine... it's just not applying in my group mapping policy.

0 Helpful

Andrew Bailey
Level 1
Level 1

‎05-20-2011 04:45 AM

I figured out the problem...

On the LDAP directory groups page, my group was not displayed in the first 100 groups shown, so I could not select it and had to type it out. It turns out that it is case sensitive.

This doesn't work:
cn=groupname1,ou=groups,dc=abc,dc=com

But this does:

CN=Groupname1,OU=Groups,DC=abc,DC=com

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents