ACS config

Unanswered Question
Apr 4th, 2010
User Badges:
  • Silver, 250 points or more

hello


we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.

so we map AD groups to ACS groups and we specify access restriction in ACS groups.

now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.

so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.

however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.

so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Sun, 04/04/2010 - 22:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

hello


we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.

so we map AD groups to ACS groups and we specify access restriction in ACS groups.

now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.

so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.

however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.

so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!


Hi,


ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named Gary could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.


ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.


Hope to help !!


Ganesh.H


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Actions

This Discussion