Multiple ACS/AD Groups for NDG

Answered Question
Jan 28th, 2010

Hello,

I've been racking my brain over this for a few days, and it's just not coming to me.  I'll try and be as suscinct as possible. I'm in the process transitioning my users from IPSEC to SSL web/client VPN.  During this process, I want to limit users to what they need to get to only.

ASA Firewall configured for SSL VPN and IPSEC VPN (8.2.1)

Cisco ACS for Windows (4.2)

Windows Active Directory Domain

We have multiple departements that will each need different levels of access.  We currently have one group of users that belong to an AD group that is mapped to an ACS group.  Everthing happens just fine for the IPSEC VPN and SSL VPN as it is.  The problem I'm running in to is adding adding a new group(s) to the mix and getting the correct checks in place for membership to that group.

Example:  If you are in the AD group OWA, you should only have access to OWA when you log in to SSL VPN.

Example:  If you are in the AD group Marketing, you should have access to shares and resources that are predefined.

There could be up to 10 groups.

I've added a new group to the ACS server and mapped it to the corresponding group.  But I guess I'm not understanding how to get from the ASA --> ACS to check for membership to that group.  I've tried DAP from the ASA with checks against Radius attribs - but it fails. I just feel like I'm missing something in the ACS server I need to do first.

Thanks in advance for help.

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 6 years 11 months ago

Hi Chris,

When checking groups, the ASA only reads the Class attribute from the ACS access-accept packet, depending on this class value the asa will map you to a certain Group policy as your configuration might say.

ACS will read the first memberOf value retreived from the AD profile and maps the user to the group accordingly, so if you have multiple groups on a single user it will always match the first one on the list (don't ask me what is the order which AD sends the group to the ACS)

From the first statement, I can think that you will need as many group policies as functions you need and based on the class value they will be mapped to this group policy and then these functions will be enabled. This I believe can be done with plain radius authentication and radius atts or with DAP (dap gives you further customization options) as well you can skip ACS and use ASA--ldap---AD) and use memberOf attributes.

Let me know if this makes any sense at all.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Ivan Martinon Wed, 02/03/2010 - 13:39

Hi Chris,

When checking groups, the ASA only reads the Class attribute from the ACS access-accept packet, depending on this class value the asa will map you to a certain Group policy as your configuration might say.

ACS will read the first memberOf value retreived from the AD profile and maps the user to the group accordingly, so if you have multiple groups on a single user it will always match the first one on the list (don't ask me what is the order which AD sends the group to the ACS)

From the first statement, I can think that you will need as many group policies as functions you need and based on the class value they will be mapped to this group policy and then these functions will be enabled. This I believe can be done with plain radius authentication and radius atts or with DAP (dap gives you further customization options) as well you can skip ACS and use ASA--ldap---AD) and use memberOf attributes.

Let me know if this makes any sense at all.

Christopher Bell Thu, 02/04/2010 - 04:41

Thanks for your response, I had finally figured out pretty much what you are explaining.  Definitely the correct answer

Jagdeep Gambhir Thu, 02/04/2010 - 10:16

Chris,

This is how group mapping in ACS works, Lets say that you have three
different groups on AD for NetworkAdmin, RouterAdmin, Wireless.

Go to external user database ==Database Group Mappings==Windows
NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1 select
the AD group RouterAdmin and map it to ciscosecure group 2 select the AD
group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured
mapping is looked upon first then second, third and so on. If a user is in
AD group NetworkAdmin and that is mapped to ACS group 1 and it is first
configured mapping it will be looked for FIRST (If a user exists in
NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO
further Mappings for this user is checked and user is authenticated or
rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in
RouterAdmin group, and cisco2 in Wireless. They will always be dynamically
mapped to ACS group 1, 2 and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to
what group are they getting mapped to.

SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices
and not wireless or RouterAdmin devices you would need to apply NARs to
group 1 because NetworkAdmin users are connecting to that group. Which you
will permit Access on group basis to a particular NetworkAdmin NDG or
individual NetworkAdmin NAS device.

ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C)
*Those 3 groups are mapped within ACS as follows

Group1-A,Group2-B and Group3-C.

*The user is in all 3 groups however he will always be authenticated by
group 1 because that is the first group he appears in, even if there is a
NAR configured assigning specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the
NARs in group1. This rule WILL apply for the use ONLY if he is present in
ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2) You can create a rule
for users in group B (Group 3) You can create a rule for users in group C
(Group 4)

Regards,

~JG

sunil.aroraa Fri, 02/05/2010 - 04:27

Hi JGambhir,

I have similar question. I have ACS local user database and AD integrated with ACS for wireless user authetication. But AD user are able to login AAA clients that is the problem and I want to stop this.So I want to restrict that only ACS local users should be able to login AAA clients and wireless user should be authenicated against AD databse.

Thank You,

Sunil Arora

doug573 Thu, 02/18/2010 - 06:17

I have a similar problem that I have been struggling with for 3 days.

I am running ACS 4.1 and trying to authenticate my VPN (ASA5550) users against it.  I have 4 AD groups that I would like to map to 4 different policies.  Only one of the groups is mapping properly, the first one in the AD list.  I have checked and checked and everything is spelled properly on the ACS and the ASA.  I have checked and the test user is not in multiple groups.

The user is able to authenticate, but is placed is given the DfltGrpPolicy, unless he is in the first AD group.  The even stranger part is that the user, when not in the first group, is created in ACS in the proper group, but the ASA never gets that information.

I am 99% sure that the ASA is set up properly, since this is all working with the campus RADIUS server and only breaks when I use ACS.

Thanks for any insight

-Doug

Ivan Martinon Thu, 02/18/2010 - 07:50

First we need to find out why the user is not placed on the correct group when authenticating from the ASA, so according to what you are saying you have 4 groups on AD that you need to map on ACS, the group mapping is defined correctly I assume, if that is the case then what happens is that the user is only mapped correctly to one group (first on the list) if that is the case we might need the logs from the ACS.

What is your ACS platform, 4.x 5.X is it appliance or ACS for windows?  based on this is how we will retreive the logs from the ACS.

Now once we have figured this out, we need to make sure that each group, has the correct CLASS definition in place, this class is the attribute 25 (radius) that will be passed to the ASA, make sure the format is correct and make sure that the name is exactly the same way the ASA's group poilicies.

doug573 Thu, 02/18/2010 - 08:17

That was it.  I had the class definition defined in only one group, and only because I was trouble shooting other issues.  Not sure if having done that helped or hindered my troubleshooting this issue over the past days.  Once I defined the class attribute in all four ACS groups, everything works properly.

The annoying this is that I had set this all up in a prior install of ACS four years ago for our VPN 3020 before authentication was moved to the campus RADIUS server.

I appreciate the help, I may have not figured that out without your assistance.

Thanks

-Doug

Actions

This Discussion