Issue with group mapping in ACS.

Unanswered Question
Mar 5th, 2008
User Badges:

When we map AD group in ACS with ACS group it coming as AD group and * (As below “ ,* ” ) , Because of this * everybody is able to login irrespective of his AD group.


Please suggest way to only add the NT Group alone without the *.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 03/05/2008 - 06:58
User Badges:
  • Red, 2250 points or more

Configure "all other combination" and map it to No Access group.



ACS--->Ext db group mapping--->windows---> All other combinations



Regards,

~JG


Do rate helpful posts

sumanth_myneni Mon, 03/17/2008 - 06:01
User Badges:

Hi,


Thanks for the information.


We understand this is alternate and temporary solution. But still people from one group will be able to access other group.


Kindly provide me with a solution which restricts users to only one group.

Premdeep Banga Wed, 03/05/2008 - 13:46
User Badges:
  • Gold, 750 points or more

Actually '*' means something else.


If you have a group on AD say 'Alfa'


when you do a mapping on ACS, you'll see it like this,


'Alfa', * ------- Group x


Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.


It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.


As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.


Map them to .


Then only those will be able to log in, for whom you have the mapping defined on ACS.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538


Check Step 8,


"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."


Regards,

Prem

pemasirid Wed, 03/12/2008 - 07:44
User Badges:

Hi Prem


I have simillar problem. I created two groups in ACS and map one group to AD (DeviceAdmin) and other group to Users in AD. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.


Let me tell you briefly my issue.

1. I need all users in AD to authenticate with AD username/password

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.


Attached are the ACS group mapping and NAR in group DeviceAdmin.


Appreciate if you can give me a clear steps for the above requirement please....


thanks & regards

Prem




pemasirid Wed, 03/12/2008 - 07:48
User Badges:

Hi Prem


Sorry that was typo error..here is the requirement


1. I need all users in AD to authenticate with AD username/password for wireless network

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.



Jagdeep Gambhir Mon, 03/17/2008 - 06:41
User Badges:
  • Red, 2250 points or more

To achieve it you need to set up NAR's. Edit group settings ( device admins ) ----> Per group defined network access restrictions---->Enable IP based ----> From drop down choose permit--->In AAA clients drop down choose clients you want to allow access---> Use * for port and IP address --->Enter.


ACS will permit access to only above aaa clients and rest all be denied.


Same way do it for AD group that should only access vpn.


Regards,

~JG


Do rate helpful posts


Actions

This Discussion