ACS 5.3 Group Mapping based on AD group membership

Unanswered Question
May 1st, 2012
User Badges:


I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.

What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.

It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.

I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.

Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Tarik Admani Wed, 05/02/2012 - 00:32
User Badges:
  • Green, 3000 points or more

What patch level of ACS are you on? Please install patch 4 there are a few bug fixes that fix the group retrieval issue.

Here are a list of bugs in patch 3 that are fixed:

Here are a list of bugs fixed in patch 4 -


Tarik Admani

Sami Abunasser Wed, 05/02/2012 - 11:51
User Badges:


I am running the latest code patch:


Last Patch : 5-3-0-40-4

Thank you,


cybernetops Tue, 07/24/2012 - 14:44
User Badges:

Hi, I'm facing similar issue. In my case, the identity group won't match the authorization profile i defined. Is it a know bug and Cisco is working with a fix with this?


Jim Thomas Tue, 07/24/2012 - 15:53
User Badges:

So the question is why do you want to use identity groups to accomplish this? You can use the AD groupd directly in the authorization policies and set the levels of access accordingly, bypassing this extra step of identity group mappings. There might be a legit reason why you still need group mapping but if you are hitting a bug then try just going straight to AD for group matches.

Most people think that ACS 5.x must work the same as 4.x with the group mapping being required when in 5.x its optional.

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

cybernetops Wed, 07/25/2012 - 07:43
User Badges:

Ok, my case is like this.

I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)

I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.

In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.

Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.

I have a case with Cisco engineer now and still in the middle to sort things out.

The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.

Wondering whether there is a fix for this.


cybernetops Wed, 07/25/2012 - 11:42
User Badges:

I found a solution for my case -> identity store sequence.

By adjusting the identity store sequence, i manage to fulfill my environment for group level downloadable ACLs.

I'll leave the comment here for other's reference



This Discussion

Related Content