Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2122
Views
0
Helpful
4
Replies

User Multiple Active Directory Group Membership Mapping

Go to solution
dumlutimuralp
Level 1
Level 1

‎11-11-2010 05:30 AM - edited ‎03-10-2019 05:34 PM

Hi all,

We got ACS 4.2 and two types of user access to our network :

1_  We got some users in  "CiscoAdmins" Active Directory Group, corresponding mapped Cisco ACS group is "Switch Admins".

2_  We also have some users in "VPN_Users" Active Directory Group, corresponding mapped Cisco ACS group is "VPN_Users".

In "Order mapping" page on Cisco ACS 4.2, we put tte "CiscoAdmins" Active Directory Group Mapping on top of "VPN_Users" Active Directory Group mapping. So what happens is, if a user belongs to both "CiscoAdmins" and "VPN_Users" groups in Active Directory, the users always goes into "Switch_Admins" group in Cisco ACS.

However for some users (who belong  to both groups in Active Directory)  we need to apply some IP assignment and specific authorization.

Any suggestiongs are welcome.

thanks in advance.

Dumlu

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aneelaka
Level 1
Level 1
In response to dumlutimuralp

‎11-12-2010 01:26 PM

Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

-

Note: Please rate the answer if it helped

View solution in original post

0 Helpful
4 Replies 4

Go to solution
aneelaka
Level 1
Level 1

‎11-11-2010 05:35 PM

I see that few users in AD belong to both group, follow the below steps to meet your criteria

Here we assume the two groups on AD are Wireless and VPN 

 
Please follow the below suggestion: 
 
To achieve this 
1.    we can create 3 groups on the ACS (1) Wireless , 2) 
        VPN 3) Wireless+VPN, 
2.    then in Windows group mapping 
  Wireless+VPN (on ACS) MAPs to two groups Wireless on AD and VPN on AD, 
 then Wireless(ACS) maps to (Wireless on AD),
 VPN (ACS) maps to (VPN) on AD, 

3) Ensure that the Mapping order should be in the following order:
   1) Wireless+VPN group (on ACS) MAPs to two groups on AD Wireless on AD and VPN on AD.
   2) Wireless(ACS) maps to (Wireless on AD).
   3) VPN (ACS) maps to (VPN) on AD
0 Helpful

Go to solution
dumlutimuralp
Level 1
Level 1
In response to aneelaka

‎11-12-2010 09:42 AM

Hi ,

Thanks for getting back. Havent tried your suggestion so far, but curious, how does it work if I map two different AD groups ("wireless", "vpn" to the same ACS group (wireless+vpn).

I thought when AD sends an authenticaton result message to ACS, it also sends the AD group names which that user belongs to.

So ACS receives that , that specific user is a member of "wireless" , and also member of  "vpn" AD group. Whichever group name ACS reads first, that user should belong to the corresponding ACS group.

But what you are actually saying is if I map a specific ACS group ("wireless+vpn") to two different AD groups, ACS checks the authentication result message from AD server for both group names ?

Am I getting this correct ?

Thanks a lot.

Dumlu

0 Helpful

Go to solution
aneelaka
Level 1
Level 1
In response to dumlutimuralp

‎11-12-2010 01:26 PM

Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

-

Note: Please rate the answer if it helped
0 Helpful

Go to solution
dumlutimuralp
Level 1
Level 1
In response to aneelaka

‎11-12-2010 01:37 PM

well apparently I havent done my homework. thanks a lot aneelaka. youve been great help !

Dumlu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents