cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1117
Views
0
Helpful
2
Replies

Cisco ACS 4.2 one user in multiple local groups

Currently i have group mapping like this

ACS Groups           Window Groups

    Grp-A-B             Grp-1 and Grp-2
    Grp-A                        Grp-1

    Grp-B                        Grp-2

For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Cisco ACS 4.2 one user in multiple local groups

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

2 REPLIES 2
Highlighted

Cisco ACS 4.2 one user in multiple local groups

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Highlighted

Cisco ACS 4.2 one user in multiple local groups

Wa Alikum Asalam Amjad,

Yes i agree its not possible do you think its possible in version 5.x because my customer have 100's of groups in AD and users are part of multiple groups so in this case we have to create lot of combinations do you think any other solution is available ?