Solved: Re: Configuring authentication using AD Group mappings

Sami Abunasser · ‎04-03-2012

Hi,

I recently installed ACS 5.3 and am trying to configure as follows:

1) Devices are seperated into Locations and Device types.

2) ACS is authenticating using AD.

3) User must be in specific AD group to be able to access a specific device type/location.

I am testing my setup with WCS. The server was added to list of Network Devices and placed in the correct location/device type.

Under access policies, I configure an Access Service named (NAAS-WCS) which has an Identity and Group Mapping structure.defined as follows:

* Identity: Condition (NDG:Device Type -> in All Device Types: WC), Results (Identity Store: AD1).

*Group Mapping: (Condition: AD1:ExternalGroups), Results (Identity Group: All Groups:SBD-SEC-ENG).

What I'm trying to implement is the following rule:

if (device in device type WC) and (user in AD group G-CRP-SEC-ENG) then allow access otherwise block.

I added the groups in the AD configuration of the server, and used that group in defining the rules. The error I get from tacacs when I attempt to log in is attached in the jpeg.

Anyone know where I'm going wrong? This is the first time I use the new ACS system.

Thank you,

Sami Abunasser

mile.ljepojevic · ‎04-03-2012

I had similar problem, since all request came as CHAP/MD5 which is not the same as MS-CHAP v1 and v2 that we can chose on ACS.

How are you trying to authenticate users? Web-page or dot1x? If it is a web-page, choose PAP as authentication and you should be fine.

View solution in original post

jrabinow · ‎04-03-2012

There are a couple ways to do this:

1) Put two columns (conditions) in authorization policy

One for device type and one condition based on ExternalGroups attribute in the active directory dictionary

then make conditions only in authorization policy and not use group mapping

///// this is using AD groups directly

2) If using group mapping then add a condition to authorization policy using the IdentityGroup

///// this is using group mapping to map an AD group to an internal group and then using the internal group in policy

Sami Abunasser · ‎04-03-2012

jrabinow,

thanks for the quick response. i tried to edit the rules as you mentioned (i tried both ways) and I'm still getting the same error.

Looking at the serivce selection rules, i see a hit count on the rule that's applying the access service, but then when i go to the access service definition there is a hit count of 0.

In the logs it sill has the same error:

22056 Subject not found in the applicable identity store(s).

I engaged our AD admin also, and he's taking a look at AD to see if he sees any log entries that might help, becuase when you look at the detailed log there's the following error:

Selected Identity Store -

Current Identity Store does not support the authentication method; Skipping it

Thank you,

Sami

mile.ljepojevic · ‎04-03-2012

I had similar problem, since all request came as CHAP/MD5 which is not the same as MS-CHAP v1 and v2 that we can chose on ACS.

How are you trying to authenticate users? Web-page or dot1x? If it is a web-page, choose PAP as authentication and you should be fine.

Sami Abunasser · ‎04-04-2012

Mile,

Thank you for your response, that was the issue. I did not even notice that was not an option.

On another note, what I was trying to get to authenticate on ACS was a WCS server. There were two issues, the CHAP/MD5, and the second was that bulk import of custom attributes in ACS 5.2 and 5.3 doesn't work and a patch is being worked on (CSCtx18638 Cannot add custom shell attribute with keyword alert).

After I changed the authentication type, and add the attributes one at a time, it worked fine.

Thanks all for your help!!!