Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Group Configuration Help Request

We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.

The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?

Confusing I know.

5 REPLIES
Cisco Employee

Re: ACS Group Configuration Help Request

Hi,

A user can be part of a single group only. The first group which is encountered in Active Directory will be used for Group mapping into ACS.

What you can do is add the tacacs attributes in the user profile for your username. This way you will have the Remote Access and also be able to login to the switch.

Regards,

Vivek

New Member

Re: ACS Group Configuration Help Request

But since I don't actually have a username in ACS and it's coming from AD, how would go about adding the TACACS details to it? Wouldn't it be a dynamic user that would go away after awhile?

Cisco Employee

Re: ACS Group Configuration Help Request

Raun,

Dynamic users do not go away after a while. Anyways another thing which can be done is add the user manually in ACS and set it to authenticate to Windows Database.

This way the use is no more a "dynamic" user.

Regards,

Vivek

New Member

Re: ACS Group Configuration Help Request

I have been working on similar issues and the product is quite confusing. I think the way it works is you match the first group top down. You have 500 groups to work with so I think you need to create a group that has rights to both remote access and what you now call tacacsadm. Maybe call it NetAdmin and give that a try.

at
New Member

Re: ACS Group Configuration Help Request

Hello,

you can solve your problem with the feature Network Access Profile. With this feature you can assign one user to different groups.

You must create two Network Access Profiles (profile_remote_access, profile_tacacs_admin)-

with different protocol types (radius for remote access, tacacs for administration).

Look at

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a00805e879e.html

regards

alex

142
Views
0
Helpful
5
Replies
CreatePlease login to create content