03-05-2008 03:28 AM - edited 03-10-2019 03:41 PM
When we map AD group in ACS with ACS group it coming as AD group and * (As below â ,* â ) , Because of this * everybody is able to login irrespective of his AD group.
Please suggest way to only add the NT Group alone without the *.
03-05-2008 06:58 AM
Configure "all other combination" and map it to No Access group.
ACS--->Ext db group mapping--->windows---> All other combinations
Regards,
~JG
Do rate helpful posts
03-17-2008 06:01 AM
Hi,
Thanks for the information.
We understand this is alternate and temporary solution. But still people from one group will be able to access other group.
Kindly provide me with a solution which restricts users to only one group.
03-05-2008 01:46 PM
Actually '*' means something else.
If you have a group on AD say 'Alfa'
when you do a mapping on ACS, you'll see it like this,
'Alfa', * ------- Group x
Above means, if a user a member of Group 'Alfa' on AD, AND can also have any other group membership on AD (meaning of *), then map it to Group x on ACS.
It does not mean map everyone to Group x, even if they are not a member of Group 'Alfa' on AD.
As mentioned by JG above, all the users are able to authentication because of your 'All other combination' or \DEFAULT mapping on ACS.
Map them to
Then only those will be able to log in, for whom you have the mapping defined on ACS.
Check Step 8,
"The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set."
Regards,
Prem
03-12-2008 07:44 AM
Hi Prem
I have simillar problem. I created two groups in ACS and map one group to AD (DeviceAdmin) and other group to Users in AD. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.
Let me tell you briefly my issue.
1. I need all users in AD to authenticate with AD username/password
2.Only one group in AD need to access my AAA clients
3. Only one group in my AD need to authenticate with VPN client.
Attached are the ACS group mapping and NAR in group DeviceAdmin.
Appreciate if you can give me a clear steps for the above requirement please....
thanks & regards
Prem
03-12-2008 07:48 AM
03-17-2008 06:41 AM
To achieve it you need to set up NAR's. Edit group settings ( device admins ) ----> Per group defined network access restrictions---->Enable IP based ----> From drop down choose permit--->In AAA clients drop down choose clients you want to allow access---> Use * for port and IP address --->Enter.
ACS will permit access to only above aaa clients and rest all be denied.
Same way do it for AD group that should only access vpn.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide