ACS - Group mapping to External database problem

Answered Question

Hi NetPro's,

Currently we have Cisco ACS 3.3 using Windows AD for authentication of remote VPN & wireless users.

There is a one-to-one group mapping in the Cisco ACS 'External User Databases' and the NT Group for both VPN user and

Wireless users:

Example (ascending order):

NT groups CiscoSecure group

Remote VPN Group, * VPN Users

Wireless Users,* WLAN users

The ACS server has the following AAA clients and are associated to the following CiscoSecure groups as per the Network Access Restrictions in the group settings.

AAA Cleint CiscoSecure group

Wireless controller WLAN users

Remote access Server VPN Users

Now, if an AD user is only in either one of the above groups, authentication is successful as expected. However, if an AD user is a member of both the Remote VPN and Wireless Users group and is trying to access the wireless network authentication fails.

When I check the failed attempts in the ACS logs I see the particular user being denied access to the Wireless NAS with reason 'User Access Filtered' with group name VPN Users instead of WLAN users. So, because the user is in 'both' NT groups, they are matching the first NT group in the External database list (being Remote VPN Group) and is being denied because the Remote VPN group is only associated with the Remote access server and not the Wireless domain controller.

Can someone please shed some light on how this particular scenario should be configured?

I would like to configure ACS to allow users access to either VPN or wireless and in some cases both VPN and warless where the user is a member of both groups.

Thanks in advanced.

Mario.

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 9 years 5 months ago

Hi Mario,

This is how it works,

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless.

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1 select the AD group

RouterAdmin and map it to ciscosecure group 2 select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for

FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are they getting mapped

to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a

particular NetworkAdmin NDG or individual NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached username is to go to

usersetup find that user and delete it manually.

ACS will not support the following cofiguration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1

A =============> Group 2

B =============> Group 3

C =============> Group 4.

You can create a DIFFERENT rule for

the users in A,B,C by configuring the NARs in group1. This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C). You can create a rule for users in group A (Group 2) You can create a rule for users in group B (Group 3) You can create a rule for users in group C (Group 4)

Here I also enclose the links connected to group mapping in the user guide:

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm#wp940485

User guide homepage:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm

Please rate if that helps !

Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Fri, 07/06/2007 - 04:32

Hi Mario,

This is how it works,

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless.

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1 select the AD group

RouterAdmin and map it to ciscosecure group 2 select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for

FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are they getting mapped

to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a

particular NetworkAdmin NDG or individual NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached username is to go to

usersetup find that user and delete it manually.

ACS will not support the following cofiguration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1

A =============> Group 2

B =============> Group 3

C =============> Group 4.

You can create a DIFFERENT rule for

the users in A,B,C by configuring the NARs in group1. This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C). You can create a rule for users in group A (Group 2) You can create a rule for users in group B (Group 3) You can create a rule for users in group C (Group 4)

Here I also enclose the links connected to group mapping in the user guide:

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm#wp940485

User guide homepage:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm

Please rate if that helps !

Regards,

~JG

Actions

This Discussion