cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
5
Replies

AAA Windows AD Authentication per Device Group

kidvelvet
Level 4
Level 4

Hello,

I currently have and ACS system authenticating against a Win2K3 AD database. I have a user that is a member of multiple security groups that are mapped to multiple groups on the ACS. I want to be able to force authentication against a specific group based on the device group that is being used for authentication.

For example, User1 is a member of GroupA, GroupB, and GroupC in the AD. GroupA is mapped to Group1 in the ACS, GroupB is mapped to Group2, and GroupC is mapped to Group3. I have three device groups called switches, firewalls, and routers.

When User1 logs into a router, I want him to be authenticated against Group1. When User1 logs into a switch, authenticate against Group2, and a firewall would be authenticated against Group3. Is it posssible to even do this? If so, how?

Thanks for your help!

Steve

5 Replies 5

noc
Level 1
Level 1

I have the same problem.

The users mapped by external authenticator are dinamically linked to Cisco ACS group.

Since ACS uses the group order to match the credentials, even if the user is groupped in more than one group in AD, it's linked to the first ACS group.

I've tried also to use a NAR, but it doesn't seem to work.

Anyone has suggestions?

Andrea

Doing the same setup with our new ACS so I'm really hoping someone can assist with this problem

craig.eyre
Level 1
Level 1

Hi,

What version of ACS are you currently running?

Craig

I'm running version is 4.0.1.27

Andrea

I am running multiple versions for multiple customers, from 4.0 to 4.2.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: