Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
5
Helpful
4
Replies

ACS 4.2 - one local user be part of multiple local groups

Go to solution
mguzman4158
Level 1
Level 1

‎06-04-2010 10:57 AM - edited ‎03-10-2019 05:10 PM

Hello,

I have a group of network engineers that need full admin access to two groups locally in ACS - Network Admins and LMS Admins <--- (New group created for recent LMS CiscoWorks installation).

I have two NDG's - Cores and LMSserver <-- new

Problem: If a user belongs to Network Admins group, user can login to the LMS server but limited functions.  If user is moved to LMS admin has full functions but loses level 15 access to the routers and switches, which are AAA clients for Cores.

I've tried many different settings and still can not find the right one.  Is this doable in ACSv4.2?

Thank you very much in advanced for your input.

Cheers!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mguzman4158

‎06-04-2010 02:04 PM

With currect ACS version 4.2 the best option you can think of is Network access profile (NAP)


Network access profiles are a feature that could be quite useful. They allow classification of access requests based on network location, device belonging to a network device group, protocol, or other RADIUS attributes sent by the device the user is connecting through. In addition, authentication, access control, posture validation, and authorization policies can be mapped to profiles.


Network access profile

http://www.cisco.org.lv/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1103807


In ACS 5.x, same user can be a part of different groups at any given time.


HTH

JK


Do rate helpful posts-

~Jatin

View solution in original post

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to mguzman4158

‎06-04-2010 02:20 PM 

Here is the a workaround to solve it.

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. 

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and
that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure
group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2
and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are they getting mapped to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because
NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG  or individual  NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.

ACS will not support the following configuration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a  NAR  configured assigning
specific AAA clients to the group. 

However there if your mappings are in below order...

NT Groups            ACS groups

A,B,C =============>  Group 1   
A     =============>  Group 2
B     =============>  Group 3
C     =============>  Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.

This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in  group A (Group 2)
You can create a rule for users in  group B (Group 3)
You can create a rule for users in  group C (Group 4)

Please check this links 

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm
#wp940485

Regards,
~JG

Do rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-04-2010 01:13 PM

Hi ,

In ACS user can be a part of only one group. Do we have AD user or internal acs user?

Incase of AD we do have a way around.



Let me know



Regards,

~JG



Do rate helpful posts

0 Helpful

Go to solution
mguzman4158
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-04-2010 01:16 PM

Hi,

Yes, I do AD.

Cheers!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mguzman4158

‎06-04-2010 02:04 PM

With currect ACS version 4.2 the best option you can think of is Network access profile (NAP)


Network access profiles are a feature that could be quite useful. They allow classification of access requests based on network location, device belonging to a network device group, protocol, or other RADIUS attributes sent by the device the user is connecting through. In addition, authentication, access control, posture validation, and authorization policies can be mapped to profiles.


Network access profile

http://www.cisco.org.lv/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1103807


In ACS 5.x, same user can be a part of different groups at any given time.


HTH

JK


Do rate helpful posts-

~Jatin

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to mguzman4158

‎06-04-2010 02:20 PM 

Here is the a workaround to solve it.

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. 

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and
that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure
group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2
and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are they getting mapped to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because
NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG  or individual  NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.

ACS will not support the following configuration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a  NAR  configured assigning
specific AAA clients to the group. 

However there if your mappings are in below order...

NT Groups            ACS groups

A,B,C =============>  Group 1   
A     =============>  Group 2
B     =============>  Group 3
C     =============>  Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.

This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in  group A (Group 2)
You can create a rule for users in  group B (Group 3)
You can create a rule for users in  group C (Group 4)

Please check this links 

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm
#wp940485

Regards,
~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents