Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
0
Helpful
2
Replies

How to map 2 AD groups into 2 different LOCAL Identity Groups in ACS5.2?

spirtovoz
Level 1
Level 1

‎06-30-2011 04:14 AM - edited ‎03-12-2019 05:39 PM

hi guis!

i want to map 2 groups from external AD to 2 internal groups. like it was in 4.x. can someone advise me how to do this?

Labels:
0 Helpful
2 Replies 2

Shaik Zubair
Level 1
Level 1

‎06-30-2011 10:22 AM

In order to map 2 different AD groups to 2 different local Identity groups we will need to do the following.

Assuming that the ACS is already Joined to a domain for example csco.com

1. we need to populate the concerned 2 AD groups in

Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups tab.

To do this please follow the steps given in the following link "Selecting an AD Group"

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1140999

Once we have the 2 groups populated in there we now need to create a Group mapping policy under the concerned Access Service to map each AD group to the internal group (Internal groups need to be created prior).

1. Make sure group mapping policy option is enabled for the concerned Access Service.

Access Policies > Select the Access Service > Edit

Under General Tab > Policy Structure > Make sure "Group Mapping" is checked

2. Configure group mapping under the Access Service. (Lets say the Access Service name is "Default Network Access")

Access Policies > Default Network Access > check the Radio button "Rule based result selection"

3. Configure a rule

Click on Create > Conditions > Check Compound condition >

In the Dictionary choose "AD-AD1"

Attribute Select "ExternalGroups"

Operator "Contains any"

Value > click on select > you should see the the 2 groups of AD added previously > select one for which we making a group mapping

click on add

You should now see a rule in "Current Condition Set"

In results section > Select > the Internal group you want to map it to > click ok

one group mapping is now created. Do exactly the same for the other AD group by creating another rule.

Please save the changes and your group mapping is now ready like the one in ACS 4.

to confirm if it is being used, try authenticating with a user in that AD group and see if the hit counts are increasing on the rule.

0 Helpful

spirtovoz
Level 1
Level 1
In response to Shaik Zubair

‎07-13-2011 02:30 AM

many thanks!

i'll try to do it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents