07-12-2008 05:01 AM - edited 03-10-2019 03:58 PM
Hi -
We have ACS integrated with AD and when a user is dynamically mapped, we would like to change the group locally on the ACS from what the mapping was, but after a while, the user changes back to "dynamic mapping" and the old group.
Is the only way to keep the setting is create the user locally and tell it to look for the password in the "Windows Database"?
Thank you!
07-14-2008 11:25 PM
Its shouldnt be.. if you edit a dynamic user to hard set group membership the setting should remain.
That said, such users still have an "auto created" flag which newer versions of ACS probably use in order to seek out and destroy dynamic users.
Sounds like the safest way, as you've found, is to manually create.
Also worth noting with AD, the same user could end up with several accounts in ACS depending on whether how they entered their name:
DOMAIN/user
user
user@DOMAIN
Each would look different to ACS and you might get multiple accounts.
Worse still, if you are doing NAC/NAP you'll see ACS create a user record for each user for each NAP.
07-15-2008 12:11 AM
Thanks for the reply! Good info.
I will probably end up filing a TAC case to get a definitive answer as to why the users are cleared even tho their group is changed after they are dynamically mapped.
07-15-2008 01:19 AM
Must we migrate to Microsoft IAS before some Cisco Expert could give us some answer?
07-16-2008 11:57 AM
I'm sorry, i've send a reply to wrong topic.
I was referring to the previous post "AAA: AAA Windows AD Authentication per Device Group" and i am so frustrated because i don't find a solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: