ACS 4.x and Dynamic Mappings

brobinson · ‎07-12-2008

Hi -

We have ACS integrated with AD and when a user is dynamically mapped, we would like to change the group locally on the ACS from what the mapping was, but after a while, the user changes back to "dynamic mapping" and the old group.

Is the only way to keep the setting is create the user locally and tell it to look for the password in the "Windows Database"?

Thank you!

darpotter · ‎07-14-2008

Its shouldnt be.. if you edit a dynamic user to hard set group membership the setting should remain.

That said, such users still have an "auto created" flag which newer versions of ACS probably use in order to seek out and destroy dynamic users.

Sounds like the safest way, as you've found, is to manually create.

Also worth noting with AD, the same user could end up with several accounts in ACS depending on whether how they entered their name:

DOMAIN/user

user

user@DOMAIN

Each would look different to ACS and you might get multiple accounts.

Worse still, if you are doing NAC/NAP you'll see ACS create a user record for each user for each NAP.

brobinson · ‎07-15-2008

Thanks for the reply! Good info.

I will probably end up filing a TAC case to get a definitive answer as to why the users are cleared even tho their group is changed after they are dynamically mapped.

noc · ‎07-15-2008

Must we migrate to Microsoft IAS before some Cisco Expert could give us some answer?

noc · ‎07-16-2008

I'm sorry, i've send a reply to wrong topic.

I was referring to the previous post "AAA: AAA Windows AD Authentication per Device Group" and i am so frustrated because i don't find a solution.