I have a user xyz in a native-mode Windows 2000 domain. I have a global security group in that same domain and the user xyz is a member of that global security group. I have configured ACS to authenticate against this external Windows 2000 domain database. I have configured ACS user group 1 to map to the global security group mentioned before. Here's the problem:
User xyz can successfully authenticate when trying to access a network device. However, user xyz gets dynamically mapped to the Default Group 0 in ACS instead of the intended user group 1. Why?
This is a big problem for us because we want to assign privilege levels and shell command lists to ACS groups. Since the dynamic mapping fails, the user gets kicked out because authorization fails after authentication succeeded.
Any help is greatly appreciated!
You have the problem with the 2k domain to acs group mapping issue. Please follow this steps to fix the problem:
Click on External User Databases --> Database Group Mappings -->Windows NT/2K -->(Under Domain Configurations make sure you see your domain, if not then add the domain by clicking on "New Configuration"--> Click on your domain name-->Click on Add Mappings -->Then you should see the list of groups, Select global security group --> Click Add to selected --> Same window select Cisco Secure Group as Group 1--> Then submit.
I hope this helps ! Thanks,
Thanks Mynul, but your response simply describes Cisco's standard documentation way of how to supposedly do this - I actually followed all these steps, the mapping is displayed correctly. The problem is that after the member of the W2K user group authenticates for the first time he gets dynamically mapped to the Default Group 0 instead of to the desired group 1 or whatever else I specify. I see this by listing all users. I can't really believe this being a new bug that I discovered because I would think that other people wanted to use this feauture before. Any other ideas?
I was covering up the bases ;-) I am not aware of any bug on this issue. Which build ACS you have? Is it a trial version? If it is a full blown production version, please open up a TAC case, have this issue investigated and then file a bug.
Same here, just covering all the bases. My security solution vendor is following the TAC route to see if they find a resolution, I am checking out this forum here. If you look at the previous post you will see that we're probably up to something. The field notice mentioned seems to describe our problem but I have the following issue with it: Our ACS server is on an AD controller of the root domain of our forest/tree. It tries to authenticate against the AD of a child domain. Apparently, it *can* enumerate the groups remember, we can browse them in the selection box when trying to establish the group mappings. To sum it up, it can authenticate the user, it can enumerate the groups, but it fails to map the group to an ACS-internal group. Sounds to me like a true ACS bug, dont you agree?
yes, I have just done a demo/presentation with a client of ours showing how these mappings work. I was forced to use the default , (Group0) to illustrate this. But, just like you explained, other mappings are simply ignored and only the default group gets used. This is very alarming , since I've seen it work in previous versions.
I hope someone can provide a solution soon. The feature / functionality is critical. The only patch I found so far is the update file for CSadmin.exe. And it doesn't fix this problem.
According to a field notice, Cisco is "working" with Microsoft regarding a similar problem. See the following field notice for more details: http://www.cisco.com/warp/customer/770/fn20228.shtml
related to bug: CSCdy18833
Thanks for sharing your info. But, this is a different bug and field notice than the dynamic group mappings problem. This is for authenticating ACS users to AD. But, I think here the problem is, users can authenticate but the dynamic group mapping is not working appropriately (a totally different problem). Further investigating this issue and a bug needs to be filed it is found to be a bug.
Have you tried changing the group mapping order? If you have a user part of the users group and this group is the first group in the list on the acs server, then that user will map to the users group and not another group.
The group mapping order seems to be irrelevant, as there is only the default group 0 (no members) and the new group 1 (authenticated user to be dynamically mapped here). No other mappings are being attempted. Thanks for your response, though. We've had a TAC case open for two weeks now with no results - maybe we get them to escalate it.