Cisco Support Community
Community Member

ACS 4.2 Group Mappings with External Database

We’ve got 4 corporate WLC’s which report back to two ACS servers. Our AD then has 4 domains so we’ve had to duplicate what we’re doing 4 times with ACS group mappings.

Originally we just had one group for User Authentication and another for Machine Authentication which is all for wireless connectivity. Devices mainly connect via the Machine Authentication, but we’ve had a few non-domain devices which have used User Authentication. Both use certificate authentication with our Corporate Microsoft Certificate Authority.

We’ve then added a user authentication group for TACACS devices, so we can log onto switches, routers, ASA's etc and do AAA.

We’ve then had to start adding Blackberry devices and Apple iOS devices.

The latest addition is for guest wireless users who connect to a guest WLC in a dmz.

So we have ended up with in the NT Group Mappings, multiple NT Groups with a mapping to the ACS Group. I am aware that in ACS 4.2 Cisco states that it will try any known external database to authenticate a user and therefore the groups need to be ordered correctly, however this is giving us a problem as a user may exist in multiple groups.

Ideally I want to be able to restrict say a TACACS device (port 49) to only work with the TACACS Users group. I can then look at only allowing the Corporate WLC’s to only work with the corresponding wireless users/machine groups. Then another for the guest WLC users.

I have been looking at the NAR's but its not quite giving me what I want. Can anyone provide some useful information as to whether this is achievable?


CreatePlease to create content