Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureaucracy regarding AD groups.
I am trying to migrate to ACS 5.1 due to its much more efficient and flexible policy but am having issues trying to get the external users to be members of internal groups?
I REALLY don't want to have to create AD groups and do the whole group mappings things. Am I missing something obvious or am I overthinking it?
Sr. Network Communications Analyst
This can be done by creating an indetity sequeuence:
1) select "Password Based" as Authentication Methode
2) In "Authentication and Attribute Retrieval Search List" select AD1
3) In "Additional Attribute Retrieval Search List" select InternalUsers
4) Select the Advanced Option '
This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"