ACS 5.3 Group Mapping based on AD group membership

Unanswered Question
May 1st, 2012

Hi,

I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.

What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.

It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.

I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.

Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?

Thank you,

Sami

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Tarik Admani Wed, 05/02/2012 - 00:32

What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.

Here are a list of bugs in patch 3 that are fixed:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223113

Here are a list of bugs fixed in patch 4 -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp223684

Thanks,

Tarik Admani

sami.abunasser Wed, 05/02/2012 - 11:51

Tarik,

I am running the latest code patch:

Version 5.3.0.40.4

Last Patch : 5-3-0-40-4

Thank you,

Sami

cybernetops Tue, 07/24/2012 - 14:44

Hi, I'm facing similar issue. In my case, the identity group won't match the authorization profile i defined. Is it a know bug and Cisco is working with a fix with this?

Thanks.

jthomas@area-ne... Tue, 07/24/2012 - 15:53

So the question is why do you want to use identity groups to accomplish this? You can use the AD groupd directly in the authorization policies and set the levels of access accordingly, bypassing this extra step of identity group mappings. There might be a legit reason why you still need group mapping but if you are hitting a bug then try just going straight to AD for group matches.

Most people think that ACS 5.x must work the same as 4.x with the group mapping being required when in 5.x its optional.

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

cybernetops Wed, 07/25/2012 - 07:43

Ok, my case is like this.

I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)

I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.

In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.

Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.

I have a case with Cisco engineer now and still in the middle to sort things out.

The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.

Wondering whether there is a fix for this.

Thanks.

cybernetops Wed, 07/25/2012 - 11:42

I found a solution for my case -> identity store sequence.

By adjusting the identity store sequence, i manage to fulfill my environment for group level downloadable ACLs.

I'll leave the comment here for other's reference

Thanks-

xgadkjasch Tue, 07/31/2012 - 02:41

Hello Netops.

could you explain your solution a little bit more?

regards / Karsten

Actions

Login or Register to take actions

This Discussion

Posted May 1, 2012 at 11:15 AM
Stats:
Replies:7 Avg. Rating:5
Views:1980 Votes:0
Shares:0

Related Content

Discussions Leaderboard