05-02-2012 08:13 AM - edited 03-10-2019 07:03 PM
Hi All
Cant senem to see how to associate an AD group - which i have defined in
users and identity stores/external identity stores/Active Directory/Directory attributes
to associate with the relevant identity groups -
Users and identity stores/identity groups
Is there an example of this being done somewhere as i am having problems understanding
how to do this from the user guide.
All i want to do is associate identity groups with ad groups.
Steve
05-03-2012 06:15 AM
When click on the selection service rules, there is a check box the enable group mapping. Make sure that is enabled and then you can perform your mapping there.
Thanks,
Tarik Admani
05-23-2012 09:47 AM
How is this done with ISE 1.1?
05-23-2012 02:00 PM
Steve,
I'm going to outline the assumptions first, then describe how to associate AD groups to ACS identity groups. BTW, I'm using ACS v5.2 on a VM, so 5.3 might be a little different.
ASSUMPTIONS
1. Assume a simple setup, where you have two ACS identity groups, one for admins and one for read-only:
Users and Identity Stores > Identity Groups
Admin
Read-Only
2. Your ACS is joined to a domain, and you have added two AD groups to the Directory Groups tab
(not the Directory Attributes tab as you stated above):
Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab
mydomain.com/Group Accounts/Admins
mydomain.com/Group Accounts/Users
3. Your Search Sequence checks AD for accounts:
Users and Identity Stores > Identity Store Sequences >
Password Based is checked
Authentication and Attribute Retrieval Search List
AD1 has been added to the Selected box on the right
4. The ACS is set to use the Search Sequence from Step 3:
Access Policies > Access Services > Default Device Admin > Identity
Single result selection is selected
Identity Source:
Assuming all that is correct:
ASSOCIATE AD GROUPS TO ACS IDENTITY GROUPS
1. Navigate to Access Policies > Access Services > Default Device Admin > Group Mapping
2. Select the radio button for 'Rule based result selection,' and click OK on the pop-up dialog
3. Click Create, and give the first rule a meaningful name, such as 'AD-Admin to ACS-Admin'
Check the box for Compound Condition
Dictionary: AD-AD1 Attribute: ExternalGroups
Under Value: (Click the Select button, and select your AD Admin group)
mydomain.com/Group Accounts/Admins
Under Current Condition Set, click 'Add v' to add the condition to the field
Under Results: (Select your ACS Admin internal identity group)
Identity Group: All Groups: Admin
Click OK at the bottom of the page to close the window and add the rule.
4. Click Create, and give the second rule a meaningful name, such as 'AD-Users to ACS-Read-Only'
Check the box for Compound Condition
Dictionary: AD-AD1 Attribute: ExternalGroups
Under Value: (Click the Select button, and select your AD Admin group)
mydomain.com/Group Accounts/Users
Under Current Condition Set, click 'Add v' to add the condition to the field
Under Results: (Select your ACS Read-Only internal identity group)
Identity Group: All Groups: Read-Only
Click OK at the bottom of the page to close the window and add the rule.
5. Click the Save Changes button at the bottom of the screen
I hope this helps solve your problem, or gets you on the right track.
--Chris
01-09-2014 07:50 AM
Chris,
Your explaination was very helpful, and my ACS acted correctly according to your steps, until I got to step 4, when I select identity for the defailt device admin, I select single result selection, but I never get an Identity source to select. Is there another setting somewhere that i may be missing. I am very new to setting up ACS servers and unfortunately I am learning on the fly.
Thanks,
Joe
09-20-2014 12:06 PM
Hi,
please go through this link.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html#366352
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide