Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.x and Dynamic Mappings

Hi -

We have ACS integrated with AD and when a user is dynamically mapped, we would like to change the group locally on the ACS from what the mapping was, but after a while, the user changes back to "dynamic mapping" and the old group.

Is the only way to keep the setting is create the user locally and tell it to look for the password in the "Windows Database"?

Thank you!


Re: ACS 4.x and Dynamic Mappings

Its shouldnt be.. if you edit a dynamic user to hard set group membership the setting should remain.

That said, such users still have an "auto created" flag which newer versions of ACS probably use in order to seek out and destroy dynamic users.

Sounds like the safest way, as you've found, is to manually create.

Also worth noting with AD, the same user could end up with several accounts in ACS depending on whether how they entered their name:




Each would look different to ACS and you might get multiple accounts.

Worse still, if you are doing NAC/NAP you'll see ACS create a user record for each user for each NAP.

New Member

Re: ACS 4.x and Dynamic Mappings

Thanks for the reply! Good info.

I will probably end up filing a TAC case to get a definitive answer as to why the users are cleared even tho their group is changed after they are dynamically mapped.

New Member

Re: ACS 4.x and Dynamic Mappings

Must we migrate to Microsoft IAS before some Cisco Expert could give us some answer?

New Member

Re: ACS 4.x and Dynamic Mappings

I'm sorry, i've send a reply to wrong topic.

I was referring to the previous post "AAA: AAA Windows AD Authentication per Device Group" and i am so frustrated because i don't find a solution.