Issue with group mapping in ACS.

sumanth_myneni · ‎03-05-2008

When we map AD group in ACS with ACS group it coming as AD group and * (As below â€œ ,* â€ ) , Because of this * everybody is able to login irrespective of his AD group.

Please suggest way to only add the NT Group alone without the *.

Jagdeep Gambhir · ‎03-05-2008

Configure "all other combination" and map it to No Access group.

ACS--->Ext db group mapping--->windows---> All other combinations

Regards,

~JG

Do rate helpful posts

sumanth_myneni · ‎03-17-2008

Hi,

Thanks for the information.

We understand this is alternate and temporary solution. But still people from one group will be able to access other group.

Kindly provide me with a solution which restricts users to only one group.

Premdeep Banga · ‎03-05-2008

Actually '*' means something else.

If you have a group on AD say 'Alfa'

when you do a mapping on ACS, you'll see it like this,

'Alfa', * ------- Group x

Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.

It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.

As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.

Map them to .

Then only those will be able to log in, for whom you have the mapping defined on ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMap.html#wp940538

Check Step 8,

"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."

Regards,

Prem

pemasirid · ‎03-12-2008

Hi Prem

I have simillar problem. I created two groups in ACS and map one group to AD (DeviceAdmin) and other group to Users in AD. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.

Let me tell you briefly my issue.

1. I need all users in AD to authenticate with AD username/password

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Attached are the ACS group mapping and NAR in group DeviceAdmin.

Appreciate if you can give me a clear steps for the above requirement please....

thanks & regards

Prem

pemasirid · ‎03-12-2008

Hi Prem

Sorry that was typo error..here is the requirement

1. I need all users in AD to authenticate with AD username/password for wireless network

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Jagdeep Gambhir · ‎03-17-2008

To achieve it you need to set up NAR's. Edit group settings ( device admins ) ----> Per group defined network access restrictions---->Enable IP based ----> From drop down choose permit--->In AAA clients drop down choose clients you want to allow access---> Use * for port and IP address --->Enter.

ACS will permit access to only above aaa clients and rest all be denied.

Same way do it for AD group that should only access vpn.

Regards,

~JG

Do rate helpful posts