11-07-2006 08:06 AM - edited 03-10-2019 02:49 PM
What I am trying to configure is a way to have 4 groups that get assigned different IP addressing when they authenicate against windows domain. Should this be done with the domain group mappings configuration, where I have a domain group, tie this to a ACS group, which then is tied to a IP Pool.
11-13-2006 07:25 AM
It is currently not possible to make use of any AD attributes from the authentication response and associate to groups dynamically to categorize users and assign ip addresses based on the groups.Alternately When ACS passes the authentication request, it is passed to AD and AD responds. When AD responds, the user information is cashed in ACS. And on ACS, based on the userid, a specific IP address can be assigned to distinguish different users and there by enabling network access controls on firewalls or routers for those IP addresses (in turn users).Advantage of this method is that there is no need to change the user profile information on clients. But the downside is that, whenever a user is added, ACS needs to be manually configured with an IP address for each user and also the user has to try first time login before the user is cashed and be configured with an IP address.
11-13-2006 11:51 AM
I think this is possible using ACS version 4.0. You can use the NAP/NAF/RAC feature in ACS . For more details check the ACS 4.0 documentation. Below are the links .
For RAC:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp707665
For NAF:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp696532
For NAP:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: