ACS Group mapping and restrictions

Unanswered Question
Oct 24th, 2009
User Badges:


I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.

ACS Groups

Netadmin - need telnet/ssh/vpn/wireless

wireless - only wireless authentication

vpn - only vpn authenticaiton

I need to map the above ACS groups to one/or many AD groups and restric access as stated.

Also please note that one user can be belongs to all three groups in ACS/AD.

thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Mon, 10/26/2009 - 01:35
User Badges:
  • Silver, 250 points or more

You'll need ACS v4 NAPs to achieve this.

ACS v3 essentially has 1 NAP - you cant configure on a per service basis.

ACS v4 allows you to define a NAP by device typing, inbound packet content (eg matching attributes) etc. Each NAP can have its own database mappings and ACS groups. It can get quite messy if you have lots of groups!

Assuming perhaps that telnet/ssh was done via TACACS+, you'd need 2 NAPs - one for vpn and one for wlan. For each NAP you'd map the admin group first then other (vpn or wireless) and everything else to NO ACCESS.

RADIUS authorisation components allow you to create re-usable sets of attributes. Create one for vpn and another for wlan.

You can link to the RADIUS SPC from within each NAP.

Jagdeep Gambhir Mon, 10/26/2009 - 06:12
User Badges:
  • Red, 2250 points or more

In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.

In this scenario, it is very important to understand how ACS group mapping works.

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1

select the AD group RouterAdmin and map it to ciscosecure group 2

select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are they getting mapped to.


Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.


If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for

routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached

username is to go to usersetup find that user and delete it manually.

ACS will not support the following configuration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1

A =============> Group 2

B =============> Group 3

C =============> Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.

This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).

You can create a rule for users in group A (Group 2)

You can create a rule for users in group B (Group 3)

You can create a rule for users in group C (Group 4)

Once done you need to set up NAR's on the ACS group level,



Do rate helpful posts

pemasirid Sat, 10/31/2009 - 09:53
User Badges:

Hi JG,

Many thanks for your response. I still couldnt check this out as I was in a short vacation. I will try this out and let you know the outcome, perhaps I may request your help again :).


pemasirid Sat, 10/31/2009 - 09:52
User Badges:

Hi Potter,

Many thanks for your response. I still couldnt check this out as I was in a short vacation. I will try this out and let you know the outcome, perhaps I may request your help again :).



This Discussion