Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS 4.2 one user in multiple local groups

Currently i have group mapping like this

ACS Groups           Window Groups

    Grp-A-B             Grp-1 and Grp-2
    Grp-A                        Grp-1

    Grp-B                        Grp-2

For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Cisco ACS 4.2 one user in multiple local groups

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
2 REPLIES

Cisco ACS 4.2 one user in multiple local groups

Salam Muhammad,

If you have a local user in ACS, that user can not be a member of two groups at the same time.

The same concept applies to the external users. They can not be mapped to two different groups at the same time.

If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:

'''snip'''

Group Mapping Order

ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.

ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.

'''snip'''

Reference:http://goo.gl/cvc474

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

Cisco ACS 4.2 one user in multiple local groups

Wa Alikum Asalam Amjad,

Yes i agree its not possible do you think its possible in version 5.x because my customer have 100's of groups in AD and users are part of multiple groups so in this case we have to create lot of combinations do you think any other solution is available ?

745
Views
0
Helpful
2
Replies