cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4234
Views
10
Helpful
7
Replies

ACS 5.3 Group Mapping based on AD group membership

Sami Abunasser
Level 1
Level 1

Hi,

I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.

What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.

It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.

I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.

Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?

Thank you,

Sami

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.

Here are a list of bugs in patch 3 that are fixed:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113

Here are a list of bugs fixed in patch 4 -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684

Thanks,

Tarik Admani

Tarik,

I am running the latest code patch:

Version 5.3.0.40.4

Last Patch : 5-3-0-40-4

Thank you,

Sami

Hi, I'm facing similar issue. In my case, the identity group won't match the authorization profile i defined. Is it a know bug and Cisco is working with a fix with this?

Thanks.

Jim Thomas
Level 4
Level 4

So the question is why do you want to use identity groups to accomplish this? You can use the AD groupd directly in the authorization policies and set the levels of access accordingly, bypassing this extra step of identity group mappings. There might be a legit reason why you still need group mapping but if you are hitting a bug then try just going straight to AD for group matches.

Most people think that ACS 5.x must work the same as 4.x with the group mapping being required when in 5.x its optional.

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

Ok, my case is like this.

I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)

I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.

In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.

Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.

I have a case with Cisco engineer now and still in the middle to sort things out.

The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.

Wondering whether there is a fix for this.

Thanks.

I found a solution for my case -> identity store sequence.

By adjusting the identity store sequence, i manage to fulfill my environment for group level downloadable ACLs.

I'll leave the comment here for other's reference

Thanks-

Hello Netops.

could you explain your solution a little bit more?

regards / Karsten

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: