Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.2 (LDAP Config)

How exactly does the ACS deteremine which users are authenticated for access to a device?

When our devices talk to the ACS - it checks the LDAP for pass/fail.  However, how do we prevent users who are in LDAP, but shouldn't have access to the device they're trying to get in?

I don't know much about ldap, etc. 

In the Ext. Database it mentions:

User Dir. Subtree

Gr Dir. - Subtree

User Obj. Type 

User Obj. Class

Group Object Type

Gr. Object Class

Group attribute Name

I want to make sure only a subset ldap users get access to our devices.

  • AAA Identity and NAC
Cisco Employee

Moddy,If I understood your


If I understood your questions correctly - You want that a specific set or group of users on the ldap server should have access to your network devices ( like router/switches/ASA etc) through administrative session like telnet/ssh.

Assuming your ACS is already integrating with LDAP and can fetch all the LDAP groups. In case you're facing integrating ACS with LDAP. A very quick way to sort this out could be to first test by browsing the LDAP database with a free LDAP browser such as Softerra:

Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to ACS.

If that's what you need then I guess you can do it in two different ways:

1.] You can create users on the ACS > user setup > Under password authentication select LDAP as an external database. The same user should exist on the ACS local DB and on the LDAP server. However the password will be checked against LDAP only, the ACS password will not be checked if defined. Move all these users into a single group and configure Network access restriction on that group. How to configure NAR on ACS 4.x

2.] You can configure group mapping on ACS 4.x and map your ACS internal group with LDAP external groups. Fo all other combination select no-access group. On LDAP create a group and make users of that specific group only. On the ACS configure NAR on the mapped internal group. This way users who are part of that valid group on LDAP can only access the devices defined under NAR.  Group Mapping with generic LDAP

Let me know if you have any questions.




** Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
This widget could not be displayed.