Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3385
Views
0
Helpful
5
Replies

TACACS for user in multiple groups

Go to solution
John.Mason1978
Level 1
Level 1

‎11-08-2012 06:42 AM - edited ‎03-10-2019 07:45 PM

hi

Quick question about TACACS and a user that needs to be in more than 1 group

We have a networkAdmins group that is linked to the AD domain Admins group with a network admin in it

w then have another group for firewalls which is linked to firewall access group in AD one user is in both groups which have both been created using a manual mapping in TACACS but the user is only showing up in the NetworkAdmin group not in the firewall admin group

any ideas why the user is not showing up or is this even possible

thanks                  

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 10:53 AM

No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules.

Also, do are you using ACS 4.x or 5.x?

Thank you for rating!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-08-2012 10:51 AM

Hello John-

You can have a user be part of more than one group. You just need to make sure that both of the groups are pulled from AD and then you can build your authorization rules based on that.

Let me know if this makes sense or if you need more details.

Thank you for rating helpful posts!
0 Helpful

Go to solution
John.Mason1978
Level 1
Level 1
In response to nspasov

‎11-09-2012 01:37 AM

Hi Neo

thanks for the fast reply

that makes sense

so my user for example currently is in the network admins group populated via AD but there are ACS local users in that group

if i remove the local users then the ad should populate both groups with my user

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 10:53 AM

No problem! I have had issues in the past when the local and the domain user are the same. You can still get around that by defining what identity stores are used (for example, excluding the internal user database) and/or by properly constructing your authorization rules.

Also, do are you using ACS 4.x or 5.x?

Thank you for rating!

Thank you for rating helpful posts!
0 Helpful

Go to solution
John.Mason1978
Level 1
Level 1
In response to nspasov

‎11-09-2012 10:59 AM

Yes I inherrited this system, its version 4 and this excercise has prompted us to redesign the acs

Thanks for your help

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to John.Mason1978

‎11-09-2012 11:04 AM

Those are always nice when you inherit these type of systems. I don't know if you have had any experience with 5.x but I highly recommend migrating to it. It is much nicer in terms of building blocks, logging, monitoring etc and it does not run on Windows

Thank you for rating helpful posts!
0 Helpful
Top