Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acs looks in external userdatabase only once

We've got a rule in our pix that authentication for outside adresses (the internet) will be via tacacs+

Our tacacs server is an acs (version 3.3) and the authentication-mechanism works.

In the acs we've got an external userdatabase (active directory) and we say that if a user

is member from a particulair group he will be mapped with a acs group wich will give

the user the rights.

for new users this goes fine but for users that already exists in acs (in other groups) then

the acs will never look in the external userdatabase but will authenticate against the

existing user (and if the user is in a wrong group we've got a failed attempt)

Is there a way to tell acs allways to look in the external userdatabase??


Re: acs looks in external userdatabase only once


This actually depends on how the user (in ACS) was created.

If you manually enter a user with password type set to AD - the user will always be in the group you assigned at creation time (or re-assigned during an edit)

If the user was auto-created by the unknown user policy - then the group setting will be dynamic and assigned via the group mapping policy for the external authenticator.

It sounds like some of your AD users have been manually assigned groups within ACS. Provided your unknown user policy is working yhou could simply delete the users in ACS and let them get auto-recreated.


New Member

Re: acs looks in external userdatabase only once

Ok, thank you for your reply.

But what will happen when one user at one time needs to be authorized by a group 1

in AD and another time he must be authorized by group 2 in AD (depends on whats he's doing).

I think that that will not be possible, Am I right ??


Re: acs looks in external userdatabase only once

Depends on the protocol.. RADIUS or TACACS+

For RADIUS you could (in v4.0) create multiple NAPs; each with its own AD->ACS group mappings.

For TACACS+ you create NDG->Device Command Set mappings to modify the authorisation based on the device group being managed.