Solved: Cisco ACS 4.2 one user in multiple local groups

muhammad-furqan · ‎12-31-2013

Currently i have group mapping like this

ACS Groups Window Groups

Grp-A-B Grp-1 and Grp-2
Grp-A Grp-1

Grp-B Grp-2

For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?

Amjad Abdullah · ‎01-02-2014

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎01-02-2014

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

muhammad-furqan · ‎01-05-2014

Wa Alikum Asalam Amjad,

Yes i agree its not possible do you think its possible in version 5.x because my customer have 100's of groups in AD and users are part of multiple groups so in this case we have to create lot of combinations do you think any other solution is available ?