Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
8
Replies

One User - Multiple Groups - ACS4.2

Go to solution
Sohail Muhammad
Level 1
Level 1

‎06-24-2013 09:31 AM - edited ‎03-10-2019 08:34 PM

Hi All,

Is it possible that one of the AD user who is already a member of multiple groups in AD, can work in the same way with ACS 4.2? Actually, my client has created multiple groups on AD like IT-Group, Corp-Group and VIP-Group, and these groups are mapped on ACS. Now we are authenticating the users with corresponding SSID over Wireless network by creating NAR with which matches DNIS (SSIDs are same as AD Groups). Some of the users are member of all 3 or 2 groups, but we have observed the user who is member of 2 or more groups is always authenticated with the 1 group that is on ACS. Is it the limitation of ACS4.2?

Regards,

Sohail

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sohail Muhammad

‎07-06-2013 07:24 AM

Please understand this example:

For example, a user named Mary is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer.

- Mapping A assigns to ACS Group 2 users who belong to all three groups of which Mary is a member.

- Mapping B assigns to ACS Group 1 users who belong to the Engineering and Marketing groups.

- Mapping C assigns to ACS Group 3 users who belong to the Engineering Group.

        ACS GROUP     AD EXTERNAL GROUP
A.    Group 2              Engineering, Marketing and Managers
B.   Group 1              Engineering, Marketing
C.   Group 3              Engineering
- If Mapping B is listed first, ACS authenticates Mary as a user of Group 1 and she is be assigned to Group 1, rather than Group 2 as managers should be.
- A user must match all the groups in the Selected list so that ACS can use this group set mapping to map the user to an ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to an ACS group.
- Order of group mapping is very important.

Now, please let me know if you've some other requirement.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ravi Singh
Level 7
Level 7

‎06-30-2013 01:08 AM

I don't think there is any way to achieve this task. You can say this is limitation of ACS.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-30-2013 05:28 AM

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. When you configure an ACS group mapping based on group set membership, you can add one or many external user database groups to the set. For ACS to map a user to the specified ACS group, the user must match all external user database groups in the set. It actually work as a AND operator so if user satisfy the condition, it will work.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

Group-Mapping with ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940485

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎07-01-2013 01:11 AM

Hi,

Group mapping on ACS maps the user to one and only one group. So, a specific user can be only a member of one ACS group at any specific time.

If you are using group mapping to map the groups from external DB (AD) then the mapping goes sequentially as described by Jatin above. The first match assigns the group.

So, if a user is a member of both AD groups Corp and VIP, it will be mapped to the first one appears in the group mapping configuration.

If you want the mapping to always work you better make users part of specific group amont the three that you use or to prioterize the order of the mapping which satisfies your requirement. i.e. if a user part of all gropus and you want that one to be a part of VIP only in this case, put the VIP group mapping configuration first followed by other group mappings.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Sohail Muhammad
Level 1
Level 1
In response to Amjad Abdullah

‎07-05-2013 10:59 PM

So does ACS 5.x version have some flexibility to achieve this goal? With Rule-Based Policy?

Regards,

Sohail

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sohail Muhammad

‎07-06-2013 04:07 AM

Yes, with ACS 5.x you do have this flexibility ane what you're thinking can be done. With ACS 5.x

You can select active directory group under customize page in which you choose the types of  conditions to use in policy rules. A new Conditions column appears in  the Policy page for each condition that you add.

You can select AD1:ExternalGroup and there you have 2 options Contains Any or All. This work like OR / AND operator that you can select based on your requirement.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/access_policies.html#wp1064976

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Sohail Muhammad
Level 1
Level 1
In response to Jatin Katyal

‎07-06-2013 06:41 AM

Thanks Jatin for your reply. But I just got a reply from Cisco TAC engineer that the same can be done on ACS 4.2 with configuring Group Set for external Database groups. I tried to find out the configuration method but only manage to find the following:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940457

Can you guide me how to configure Group Set?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sohail Muhammad

‎07-06-2013 07:24 AM

Please understand this example:

For example, a user named Mary is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer.

- Mapping A assigns to ACS Group 2 users who belong to all three groups of which Mary is a member.

- Mapping B assigns to ACS Group 1 users who belong to the Engineering and Marketing groups.

- Mapping C assigns to ACS Group 3 users who belong to the Engineering Group.

        ACS GROUP     AD EXTERNAL GROUP
A.    Group 2              Engineering, Marketing and Managers
B.   Group 1              Engineering, Marketing
C.   Group 3              Engineering
- If Mapping B is listed first, ACS authenticates Mary as a user of Group 1 and she is be assigned to Group 1, rather than Group 2 as managers should be.
- A user must match all the groups in the Selected list so that ACS can use this group set mapping to map the user to an ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to an ACS group.
- Order of group mapping is very important.

Now, please let me know if you've some other requirement.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎07-06-2013 07:32 AM

I think you've asked the same question in different section. let's troubleshoot on a single post, that would avoid confusion.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents