Solved: Group mappings

dpatkins · ‎09-25-2006

Need to tap some brain power here. Can I map a NT account group to an ACS group? If I have a group on our domain called tngrp, can I map it to an HSCguest group on ACS? These will be more detailed groups so should these groups be checked prior to our NT login domain group?

Thanks

Dwane

ethiel · ‎09-25-2006

yes, yes, and yes. You can map windows groups to ACs groups. The gotchas are:

You cannot use nested groups in AD (e.g. testgroup contains testgroup1 and testgroup2).

A user can not map to multiple ACS groups. For this reason, as you mentioned, you want the most important groups first. For example, if you want admins to map to admins and users to map to users, you should define the admins mapping above the users mapping (assuming all admins are users).

-Eric

View solution in original post

ethiel · ‎09-25-2006

yes, yes, and yes. You can map windows groups to ACs groups. The gotchas are:

You cannot use nested groups in AD (e.g. testgroup contains testgroup1 and testgroup2).

A user can not map to multiple ACS groups. For this reason, as you mentioned, you want the most important groups first. For example, if you want admins to map to admins and users to map to users, you should define the admins mapping above the users mapping (assuming all admins are users).

-Eric

Maximiliano.Garcia.Solorzano · ‎10-19-2007

I know that nested groups isn't supported on ACS 4.0, but, is it on ACS 4.1 ???

See note in page 77

http://www.cisco.com/global/IT/solutions/ent/tecnologie/wireless/pdf/avvid_implementation_guide.pdf

Regards,

Maximiliano.