05-01-2012 11:15 AM - edited 03-10-2019 07:03 PM
Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
Sami
05-02-2012 12:32 AM
What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.
Here are a list of bugs in patch 3 that are fixed:
Here are a list of bugs fixed in patch 4 -
Thanks,
Tarik Admani
05-02-2012 11:51 AM
Tarik,
I am running the latest code patch:
Version 5.3.0.40.4
Last Patch : 5-3-0-40-4
Thank you,
Sami
07-24-2012 02:44 PM
Hi, I'm facing similar issue. In my case, the identity group won't match the authorization profile i defined. Is it a know bug and Cisco is working with a fix with this?
Thanks.
07-24-2012 03:53 PM
So the question is why do you want to use identity groups to accomplish this? You can use the AD groupd directly in the authorization policies and set the levels of access accordingly, bypassing this extra step of identity group mappings. There might be a legit reason why you still need group mapping but if you are hitting a bug then try just going straight to AD for group matches.
Most people think that ACS 5.x must work the same as 4.x with the group mapping being required when in 5.x its optional.
Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674
07-25-2012 07:43 AM
Ok, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks.
07-25-2012 11:42 AM
I found a solution for my case -> identity store sequence.
By adjusting the identity store sequence, i manage to fulfill my environment for group level downloadable ACLs.
I'll leave the comment here for other's reference
Thanks-
07-31-2012 02:41 AM
Hello Netops.
could you explain your solution a little bit more?
regards / Karsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide