Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
3
Helpful
9
Replies

HELP! Cisco ACS v 3.3

Mike Mihaly
Level 1
Level 1

‎08-13-2012 10:57 AM - edited ‎03-10-2019 07:24 PM

Greetings,

I have recently inherited and older ACS server. I am having trouble with certain ACS groups accessing resources witch they are not assigned to.

I've setup Windows Database and that works fine,  when assigning a specific AD group to an ACS defined group that work also.

But when I assign another windows Ad group to another ACS group, this group can access resources in other groups, which I don't want.

Is there something I am missing, I looked up and down, with no luck.

Any help is appriciated.

Thanks!  

Labels:
0 Helpful
9 Replies 9

Tarik Admani
VIP Alumni
VIP Alumni

‎08-13-2012 11:06 AM

Mike,

Is the user a member of multiple groups in windows? Here is the following note within ACS 3.3:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/qg.html

Group Mapping Order

Cisco Secure ACS always maps users to a single Cisco Secure ACS group,  yet a user can belong to more than one group set mapping. For example, a  user, John, could be a member of the group combination Engineering and  California, and at the same time be a member of the group combination  Engineering and Managers. If there are Cisco Secure ACS group set  mappings for both these combinations, Cisco Secure ACS has to determine  to which group John should be assigned.

Cisco Secure ACS prevents conflicting group set mappings by assigning a  mapping order to the group set mappings. When a user authenticated by an  external user database is to be assigned to a Cisco Secure ACS group,  Cisco Secure ACS starts at the top of the list of group mappings for  that database. Cisco Secure ACS checks the user group memberships in the  external user database against each group mapping in the list  sequentially. Upon finding the first group set mapping that matches the  external user database group memberships of the user, Cisco Secure ACS  assigns the user to the Cisco Secure ACS group of that group mapping and  terminates the mapping process.

Clearly, the order of group mappings is important because it affects the  network access and services allowed to users. When defining mappings  for users who belong to multiple groups, make sure they are in the  correct order so that users are granted the correct group settings.

For example, a user, Mary, is assigned to the three-group combination of  Engineering, Marketing, and Managers. Mary should be granted the  privileges of a manager rather than an engineer. Mapping A assigns users  who belong to all three groups Mary is in to Cisco Secure ACS Group 2.  Mapping B assigns users who belong to the Engineering and Marketing  groups to Cisco Secure ACS Group 1. If Mapping B is listed first,  Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be  assigned to Group 1, rather than Group 2 like managers should be.

Tarik Admani
*Please rate helpful posts*

Mike Mihaly
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 11:43 AM

Hi Tarik,

The thing is the user is not a member of any other groups in windows or ACS...

I tried just using one user one group to one ACS group.. and I guess the user/group created first will always have access to groups that are created after?

Thanks again,

Mike

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Mike Mihaly

‎08-13-2012 11:47 AM

Mike,

I wonder if the user is hitting the default group. Verify if this is the case in the passed attempts report, and then set the default group to no access and see if that changes your luck.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Mike Mihaly
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 02:37 PM

hmm... I hav tried that still no luck...

two seperate users in sepearate groups (windows and ACS) have access to each others resources.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Mike Mihaly

‎08-13-2012 02:50 PM

Mike,

You are using a wildcard at the end of your groups "Mike,*" means Mike, or any NT group. Try removing the wildcard and see if that fixes your issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Mike Mihaly
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 03:05 PM

this is a stupid questions, but how do I remove the wild card? there is no options to de select it or select it..

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Mike Mihaly

‎08-13-2012 03:07 PM

You will have to delete the mapping and reenter it.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Mike Mihaly
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 03:11 PM

aggreed, but how do you not select the wildcard? it does it automatically...

I looked every where..

Thanks,
Mike

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Mike Mihaly

‎08-13-2012 03:15 PM

I wish I had a 3.3 virtual machine that I can play with, and I know that it will be tough to get support for this since the product isnt supported anymore.

You can try to get in contact with TAC and ask this specific question and see how they can help you get your mapping straightened out.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents