06-10-2007 11:26 PM - edited 03-10-2019 03:12 PM
We've got a rule in our pix that authentication for outside adresses (the internet) will be via tacacs+
Our tacacs server is an acs (version 3.3) and the authentication-mechanism works.
In the acs we've got an external userdatabase (active directory) and we say that if a user
is member from a particulair group he will be mapped with a acs group wich will give
the user the rights.
for new users this goes fine but for users that already exists in acs (in other groups) then
the acs will never look in the external userdatabase but will authenticate against the
existing user (and if the user is in a wrong group we've got a failed attempt)
Is there a way to tell acs allways to look in the external userdatabase??
06-10-2007 11:57 PM
Hi
This actually depends on how the user (in ACS) was created.
If you manually enter a user with password type set to AD - the user will always be in the group you assigned at creation time (or re-assigned during an edit)
If the user was auto-created by the unknown user policy - then the group setting will be dynamic and assigned via the group mapping policy for the external authenticator.
It sounds like some of your AD users have been manually assigned groups within ACS. Provided your unknown user policy is working yhou could simply delete the users in ACS and let them get auto-recreated.
Darran
06-11-2007 12:54 AM
Ok, thank you for your reply.
But what will happen when one user at one time needs to be authorized by a group 1
in AD and another time he must be authorized by group 2 in AD (depends on whats he's doing).
I think that that will not be possible, Am I right ??
06-11-2007 03:18 AM
Depends on the protocol.. RADIUS or TACACS+
For RADIUS you could (in v4.0) create multiple NAPs; each with its own AD->ACS group mappings.
For TACACS+ you create NDG->Device Command Set mappings to modify the authorisation based on the device group being managed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide