AAA Windows AD Authentication per Device Group

Unanswered Question
Jun 15th, 2008


I currently have and ACS system authenticating against a Win2K3 AD database. I have a user that is a member of multiple security groups that are mapped to multiple groups on the ACS. I want to be able to force authentication against a specific group based on the device group that is being used for authentication.

For example, User1 is a member of GroupA, GroupB, and GroupC in the AD. GroupA is mapped to Group1 in the ACS, GroupB is mapped to Group2, and GroupC is mapped to Group3. I have three device groups called switches, firewalls, and routers.

When User1 logs into a router, I want him to be authenticated against Group1. When User1 logs into a switch, authenticate against Group2, and a firewall would be authenticated against Group3. Is it posssible to even do this? If so, how?

Thanks for your help!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I have the same problem.

The users mapped by external authenticator are dinamically linked to Cisco ACS group.

Since ACS uses the group order to match the credentials, even if the user is groupped in more than one group in AD, it's linked to the first ACS group.

I've tried also to use a NAR, but it doesn't seem to work.

Anyone has suggestions?


azore2007 Tue, 07/15/2008 - 00:29

Doing the same setup with our new ACS so I'm really hoping someone can assist with this problem


This Discussion