Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 - Can external users be members of internal groups?

Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureaucracy regarding  AD groups.

I am trying to migrate to ACS 5.1 due to its much more efficient and flexible policy but am having issues trying to get the external users to be members of internal groups?

I REALLY don't want to have to create AD groups and do the whole group mappings things. Am I missing something obvious or am I overthinking it?

Thanks

Nathan Spitzer

Sr. Network Communications Analyst

Lockheed Martin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.1 - Can external users be members of internal groups?

This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

2 REPLIES
Cisco Employee

Re: ACS 5.1 - Can external users be members of internal groups?

This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

New Member

Re: ACS 5.1 - Can external users be members of internal groups?

Now we are coking with gas!!! Thanks a bunch this is just what I wanted.

387
Views
0
Helpful
2
Replies