ACS 5.3 how do i associate an identity group with an ad group ?

steve switzer · ‎05-02-2012

Hi All

Cant senem to see how to associate an AD group - which i have defined in

users and identity stores/external identity stores/Active Directory/Directory attributes

to associate with the relevant identity groups -

Users and identity stores/identity groups

Is there an example of this being done somewhere as i am having problems understanding

how to do this from the user guide.

All i want to do is associate identity groups with ad groups.

Steve

Tarik Admani · ‎05-03-2012

When click on the selection service rules, there is a check box the enable group mapping. Make sure that is enabled and then you can perform your mapping there.

Thanks,

Tarik Admani

david9young · ‎05-23-2012

How is this done with ISE 1.1?

spindoctor64 · ‎05-23-2012

Steve,

I'm going to outline the assumptions first, then describe how to associate AD groups to ACS identity groups. BTW, I'm using ACS v5.2 on a VM, so 5.3 might be a little different.

ASSUMPTIONS

1. Assume a simple setup, where you have two ACS identity groups, one for admins and one for read-only:

Users and Identity Stores > Identity Groups

Admin

Read-Only

2. Your ACS is joined to a domain, and you have added two AD groups to the Directory Groups tab

(not the Directory Attributes tab as you stated above):

Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab

mydomain.com/Group Accounts/Admins

mydomain.com/Group Accounts/Users

3. Your Search Sequence checks AD for accounts:

Users and Identity Stores > Identity Store Sequences >

Password Based is checked

Authentication and Attribute Retrieval Search List

AD1 has been added to the Selected box on the right

4. The ACS is set to use the Search Sequence from Step 3:

Access Policies > Access Services > Default Device Admin > Identity

Single result selection is selected

Identity Source:

Assuming all that is correct:

ASSOCIATE AD GROUPS TO ACS IDENTITY GROUPS

1. Navigate to Access Policies > Access Services > Default Device Admin > Group Mapping

2. Select the radio button for 'Rule based result selection,' and click OK on the pop-up dialog

3. Click Create, and give the first rule a meaningful name, such as 'AD-Admin to ACS-Admin'

Check the box for Compound Condition

Dictionary: AD-AD1 Attribute: ExternalGroups

Under Value: (Click the Select button, and select your AD Admin group)

mydomain.com/Group Accounts/Admins

Under Current Condition Set, click 'Add v' to add the condition to the field

Under Results: (Select your ACS Admin internal identity group)

Identity Group: All Groups: Admin

Click OK at the bottom of the page to close the window and add the rule.

4. Click Create, and give the second rule a meaningful name, such as 'AD-Users to ACS-Read-Only'

Check the box for Compound Condition

Dictionary: AD-AD1 Attribute: ExternalGroups

Under Value: (Click the Select button, and select your AD Admin group)

mydomain.com/Group Accounts/Users

Under Current Condition Set, click 'Add v' to add the condition to the field

Under Results: (Select your ACS Read-Only internal identity group)

Identity Group: All Groups: Read-Only

Click OK at the bottom of the page to close the window and add the rule.

5. Click the Save Changes button at the bottom of the screen

I hope this helps solve your problem, or gets you on the right track.

--Chris

joeju · ‎01-09-2014

Chris,

Your explaination was very helpful, and my ACS acted correctly according to your steps, until I got to step 4, when I select identity for the defailt device admin, I select single result selection, but I never get an Identity source to select. Is there another setting somewhere that i may be missing. I am very new to setting up ACS servers and unfortunately I am learning on the fly.

Thanks,

Joe

abwahid · ‎09-20-2014

Hi,

please go through this link.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html#366352