08-13-2012 10:57 AM - edited 03-10-2019 07:24 PM
Greetings,
I have recently inherited and older ACS server. I am having trouble with certain ACS groups accessing resources witch they are not assigned to.
I've setup Windows Database and that works fine, when assigning a specific AD group to an ACS defined group that work also.
But when I assign another windows Ad group to another ACS group, this group can access resources in other groups, which I don't want.
Is there something I am missing, I looked up and down, with no luck.
Any help is appriciated.
Thanks!
08-13-2012 11:06 AM
Mike,
Is the user a member of multiple groups in windows? Here is the following note within ACS 3.3:
Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If there are Cisco Secure ACS group set mappings for both these combinations, Cisco Secure ACS has to determine to which group John should be assigned.
Cisco Secure ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user authenticated by an external user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the external user database group memberships of the user, Cisco Secure ACS assigns the user to the Cisco Secure ACS group of that group mapping and terminates the mapping process.
Clearly, the order of group mappings is important because it affects the network access and services allowed to users. When defining mappings for users who belong to multiple groups, make sure they are in the correct order so that users are granted the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer. Mapping A assigns users who belong to all three groups Mary is in to Cisco Secure ACS Group 2. Mapping B assigns users who belong to the Engineering and Marketing groups to Cisco Secure ACS Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be assigned to Group 1, rather than Group 2 like managers should be.
Tarik Admani
*Please rate helpful posts*
08-13-2012 11:43 AM
Hi Tarik,
The thing is the user is not a member of any other groups in windows or ACS...
I tried just using one user one group to one ACS group.. and I guess the user/group created first will always have access to groups that are created after?
Thanks again,
Mike
08-13-2012 11:47 AM
Mike,
I wonder if the user is hitting the default group. Verify if this is the case in the passed attempts report, and then set the default group to no access and see if that changes your luck.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 02:37 PM
hmm... I hav tried that still no luck...
two seperate users in sepearate groups (windows and ACS) have access to each others resources.
08-13-2012 02:50 PM
Mike,
You are using a wildcard at the end of your groups "Mike,*" means Mike, or any NT group. Try removing the wildcard and see if that fixes your issue.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 03:05 PM
this is a stupid questions, but how do I remove the wild card? there is no options to de select it or select it..
08-13-2012 03:07 PM
You will have to delete the mapping and reenter it.
thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 03:11 PM
aggreed, but how do you not select the wildcard? it does it automatically...
I looked every where..
Thanks,
Mike
08-13-2012 03:15 PM
I wish I had a 3.3 virtual machine that I can play with, and I know that it will be tough to get support for this since the product isnt supported anymore.
You can try to get in contact with TAC and ask this specific question and see how they can help you get your mapping straightened out.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide