05-12-2009 09:32 PM - edited 03-10-2019 04:29 PM
Hi all,
Most probably this question has been asked earlier but I couldnt find any during my research in this forum.
For now, I setup all our networking devices to use tacacs+ for authentication and it works ok. What I want to accomplish is, I want to restrict the user privileges based on which AD group the user belongs to. I think I need to setup our existing AD as an LDAP server on Cisco ACS.
Like if the user belongs to an ordinaru Domain Users group he wont get authorized to access that network device but if he/she belongs to CiscoAdmins group in our active directory structure then they will have granted access.
If anyone has any config examples (not just guides) on ways of doing this I would really appreciate if they can share those with me. I really do not have time to go through many pages of Cisco ACS Admin guide.
Thanks in advance.
05-14-2009 12:32 AM
With the limited time you do have... read the docs on external authentication & group mapping.
Set the unknown user policy to authenticate against Windows. Then on the group mappings sub-config map between the desired AD groups and ACS groups. Noting that this is a prioritised list (can screw you up if users are members of multiple AD groups unless you are careful). The last entry in the list can be mapped to
et voila.
No need to manually add users to ACS and each authenticated user will be dynamically assigned an ACS group based on AD membership.
05-14-2009 12:42 AM
Thanks, been there but couldnt find a way. Will take a look at it after reading your message. Appreciate it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: