Issue with group mapping in ACS.

Unanswered Question
Mar 5th, 2008

When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.

Please suggest way to only add the NT Group alone without the *.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 03/05/2008 - 06:58

Configure "all other combination" and map it to No Access group.

ACS--->Ext db group mapping--->windows---> All other combinations

Regards,

~JG

Do rate helpful posts

sumanth_myneni Mon, 03/17/2008 - 06:01

Hi,

Thanks for the information.

We understand this is alternate and temporary solution. But still people from one group will be able to access other group.

Kindly provide me with a solution which restricts users to only one group.

Premdeep Banga Wed, 03/05/2008 - 13:46

Actually '*' means something else.

If you have a group on AD say 'Alfa'

when you do a mapping on ACS, you'll see it like this,

'Alfa', * ------- Group x

Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.

It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.

As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.

Map them to .

Then only those will be able to log in, for whom you have the mapping defined on ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538

Check Step 8,

"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."

Regards,

Prem

pemasirid Wed, 03/12/2008 - 07:44

Hi Prem

I have simillar problem. I created two groups in ACS and map one group to AD (DeviceAdmin) and other group to Users in AD. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.

Let me tell you briefly my issue.

1. I need all users in AD to authenticate with AD username/password

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Attached are the ACS group mapping and NAR in group DeviceAdmin.

Appreciate if you can give me a clear steps for the above requirement please....

thanks & regards

Prem

pemasirid Wed, 03/12/2008 - 07:48

Hi Prem

Sorry that was typo error..here is the requirement

1. I need all users in AD to authenticate with AD username/password for wireless network

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Jagdeep Gambhir Mon, 03/17/2008 - 06:41

To achieve it you need to set up NAR's. Edit group settings ( device admins ) ----> Per group defined network access restrictions---->Enable IP based ----> From drop down choose permit--->In AAA clients drop down choose clients you want to allow access---> Use * for port and IP address --->Enter.

ACS will permit access to only above aaa clients and rest all be denied.

Same way do it for AD group that should only access vpn.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion