map acs to ad

Network Pro · ‎03-13-2012

Hi,

i have several different groups on the ACS (example: finance, sales, marketing). how do i map this to AD? (for example, if i have to put a person under sales group then i want to goto AD and add him to the member of sales and this should dynamically map and reflect on ACS)

Thanks

Network Pro · ‎03-13-2012

any one can i get the ACS to dynamically map by the group on AD

Ven Taylor · ‎03-13-2012

Yes. You can tell ACS to query AD via LDAP.

What version of ACS are you using?

Ven Taylor

Network Pro · ‎03-13-2012

4.1 acs

Sent from my Windows Phone

Ven Taylor · ‎03-13-2012

We're using 4.2, so it's probably very similar.

Log into your ACS, click the External User Databases button.

Click External user Database Configuration link

Click Windows Database

Click Configure.

Pretty straightforward from there, but I think we had to do something on the AD server too.

Here's a link to the Cisco page that will guide you.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp353636

Ven

Ven Taylor

Network Pro · ‎03-14-2012

Thanks for this. I have already done this bit. What I want to do is, if add a member to sales group on AD then I want ACS to create a profile dynamically and map it to the sales group on ACS server. I know you will need to go into group mapping and select the domain and map it but cant remember exactly

Sent from my Windows Phone

Network Pro · ‎03-15-2012

any thoughts on this?

minkumar · ‎03-19-2012

HI

ACS cannot create the dynamic group automatically,

you will need to go external user database > database group mapping> windows database > select the domian and map the AD group to ACS

Network Pro · ‎03-20-2012

Thanks for this. I meant dynamic entry on ACS. Example if I have a user Bill and assign to sales group in AD then will ACS automaticaaly create a entry on ACS with the name Bill mapped to sales team (considering I have done what you have told me to)

Thanks

Sent from my Windows Phone

minkumar · ‎03-20-2012

yes, Your understanding is correct. If the AD group is mapped with ACS already. Then in that case, as soon as the authentication is done for the user. The dynamic entry will be created automatically.

In order to verify, whether the user has been created or not. You can do as follows:

user setup> list all users or you can click on the alphabet > you will be able to see that account

Let me know if you have any further questions.

Network Pro · ‎03-20-2012

Thanks for this. I have already mapped the user to the group and linked ACS and AD. But dynamic entry is not created. However on the ACS I can see there is /local, /xyz (domain name) , /default - 3 different domains. The /local has all users mapped to default group on ACS. The /xyz is in correct order - the way I wanted to map. I presume its not wokring as ACS goes in order. It first looks at /local and then goes to xyz. Is this correct? So if jli delete the /local it shd work ?

But just want to confirm one thing - i don't have to create an entry for the users if manually if goes well, isn't it?

Thanks

Sent from my Windows Phone

minkumar · ‎03-20-2012

Yup, It should work. we should be concerned about the AD domain. so if the/ local is deleted. It shouldnt make any difference.

if the group mapping is done then you dont have to create a seprate entry of the user.

Note: The entry will only be created, if the authentication is successfull.

Network Pro · ‎03-20-2012

Thanks will give this a shot and update you

Sent from my Windows Phone

Ravi Singh · ‎09-12-2013

I would suggest you to watch the below video. and also request you to upgrade your version.

http://www.youtube.com/watch?v=zL1mRAcXN2I