Problem with ACS group mappings

Unanswered Question
Apr 24th, 2009
User Badges:

When user login and authenticate through ACS they are dropped into the Group:Default instead of the group that I created for them.

I have added wireless to our environment, I want to take advantage of using Radius and 802.1x to authenticate the wireless users.

Here's my goal, I want the "WiFi-Admin" group mapped to the Windows Active Director group "Administrators" and assign this group to vlan "Vlan604".

So I did the following:

1. Created ACS Group:WiFI-Admin

2. Assigned the Cisco Airespace Radius Attribute: [14179\005] Aire-Interface-Name = vlan604

3. Went to External User Database> Database Group Mapping> selected my Active Directory, and assigned the "Administrator" group to the ACS Group: "WiFi-Admin".

Authentication is passed.

User are mapped to the correct Vlan and Subnet.

But.. they do not show up in that group. but instead show up in the Group: Default

I did find a workaround, in the cisco wiki case # K36044078 and applied it but then that fail. user could not authenticate and could not connect wirelessly.

any help would be much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Mon, 04/27/2009 - 02:31
User Badges:
  • Silver, 250 points or more

Did the user already existing in ACS?

If yes, you need to manually set each users group membership (under user edit) to be assigned by external authenticator (cant remember the exact wording)

Only users with that dynamic mapping type will get group mapped after authentication.

If you have unknown user authentication enabled and no-user users local to ACS then it should be working and something else must be going wrong.



This Discussion