11-11-2010 05:30 AM - edited 03-10-2019 05:34 PM
Hi all,
We got ACS 4.2 and two types of user access to our network :
1_ We got some users in "CiscoAdmins" Active Directory Group, corresponding mapped Cisco ACS group is "Switch Admins".
2_ We also have some users in "VPN_Users" Active Directory Group, corresponding mapped Cisco ACS group is "VPN_Users".
In "Order mapping" page on Cisco ACS 4.2, we put tte "CiscoAdmins" Active Directory Group Mapping on top of "VPN_Users" Active Directory Group mapping. So what happens is, if a user belongs to both "CiscoAdmins" and "VPN_Users" groups in Active Directory, the users always goes into "Switch_Admins" group in Cisco ACS.
However for some users (who belong to both groups in Active Directory) we need to apply some IP assignment and specific authorization.
Any suggestiongs are welcome.
thanks in advance.
Dumlu
Solved! Go to Solution.
11-12-2010 01:26 PM
Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping
-
Note: Please rate the answer if it helped
11-11-2010 05:35 PM
I see that few users in AD belong to both group, follow the below steps to meet your criteria
Here we assume the two groups on AD are Wireless and VPN
Please follow the below suggestion:
To achieve this
1. we can create 3 groups on the ACS (1) Wireless , 2)
VPN 3) Wireless+VPN,
2. then in Windows group mapping
Wireless+VPN (on ACS) MAPs to two groups Wireless on AD and VPN on AD,
then Wireless(ACS) maps to (Wireless on AD),
VPN (ACS) maps to (VPN) on AD,
3) Ensure that the Mapping order should be in the following order:
1) Wireless+VPN group (on ACS) MAPs to two groups on AD Wireless on AD and VPN on AD.
2) Wireless(ACS) maps to (Wireless on AD).
3) VPN (ACS) maps to (VPN) on AD
11-12-2010 09:42 AM
Hi ,
Thanks for getting back. Havent tried your suggestion so far, but curious, how does it work if I map two different AD groups ("wireless", "vpn" to the same ACS group (wireless+vpn).
I thought when AD sends an authenticaton result message to ACS, it also sends the AD group names which that user belongs to.
So ACS receives that , that specific user is a member of "wireless" , and also member of "vpn" AD group. Whichever group name ACS reads first, that user should belong to the corresponding ACS group.
But what you are actually saying is if I map a specific ACS group ("wireless+vpn") to two different AD groups, ACS checks the authentication result message from AD server for both group names ?
Am I getting this correct ?
Thanks a lot.
Dumlu
11-12-2010 01:26 PM
Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping
-
Note: Please rate the answer if it helped
11-12-2010 01:37 PM
well apparently I havent done my homework. thanks a lot aneelaka. youve been great help !
Dumlu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: