Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
6
Helpful
3
Replies

ACS - Device Group Mapping

lee.reade
Level 4
Level 4

‎04-01-2005 07:50 AM - edited ‎07-04-2021 10:38 AM

Hi,

Have a requirement to setup ACS 3.2 with group mapping to internal Active Directory domain for authentication, however this setup will have multiple NAS and it is required that depending on which NAS a user accesses the network via, the group mapping that is applied to the user.

For example, a user connects via a vpn through pixa and should be assigned the group vpn, whereas another user connects via an anologue access server as should be assigned the group dial-in. Also note that no user will be tied to any access method, ie a user could use the dial up or vpn access method.

Although I cannot fathom how to achieve this, if at all.

Any ideas people?

Cheers,

LR

Labels:
0 Helpful
3 Replies 3

ramos1
Level 1
Level 1

‎04-11-2005 12:27 PM

Unfortunately, ACS server only supports one active group mapping for a given user. So if you have two different groups that users will be members of at the same time, ACS will dynamically map them to the group which occurs first in the list in your group mapping config (under External User DB's - DB Group Mappings). That will be the one and only group to which the user belongs as far as ACS is concerned.

You might want to try combining group settings into one so that all necessary services are available in either situation, then use NAR's to tighten down who goes where, when, etc..

lee.reade
Level 4
Level 4
In response to ramos1

‎04-12-2005 01:05 AM

Thanks for the input, however;

How would you use the NARs to restrict a user in this manner. Remember in this case a certain user could access the network via either the RAS and VPN devices, depending on which method the user uses.

The RAS users have only to access server A whilst the VPN users have to access the A & B (for example). If you have an ACS group mapping to an internal Active Directory domain group, then all users will be placed in that ACS group, as ACS will choose the first group map that it finds.

Can you advise if it is possible to achieve what I am looking for??

Cheers

LR

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card