Retrieving Group Info from Microsoft AD ?

Unanswered Question
May 12th, 2009
User Badges:

Hi all,

Most probably this question has been asked earlier but I couldnt find any during my research in this forum.

For now, I setup all our networking devices to use tacacs+ for authentication and it works ok. What I want to accomplish is, I want to restrict the user privileges based on which AD group the user belongs to. I think I need to setup our existing AD as an LDAP server on Cisco ACS.

Like if the user belongs to an ordinaru Domain Users group he wont get authorized to access that network device but if he/she belongs to CiscoAdmins group in our active directory structure then they will have granted access.

If anyone has any config examples (not just guides) on ways of doing this I would really appreciate if they can share those with me. I really do not have time to go through many pages of Cisco ACS Admin guide.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 05/14/2009 - 00:32
User Badges:
  • Silver, 250 points or more

With the limited time you do have... read the docs on external authentication & group mapping.

Set the unknown user policy to authenticate against Windows. Then on the group mappings sub-config map between the desired AD groups and ACS groups. Noting that this is a prioritised list (can screw you up if users are members of multiple AD groups unless you are careful). The last entry in the list can be mapped to so that not every tom, dick or harry can get in.

et voila.

No need to manually add users to ACS and each authenticated user will be dynamically assigned an ACS group based on AD membership.

dumlutimuralp Thu, 05/14/2009 - 00:42
User Badges:

Thanks, been there but couldnt find a way. Will take a look at it after reading your message. Appreciate it.


This Discussion