Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help Needed: ACS 5.1 AD Group Mapping

We currently have 2 x ACS4.x servers performing all AAA in our organisation.  I have just received 2 x ACS 5.1 appliances which I would like to implement and for these to take over the running from the 4.1 boxes.  As I am not 100% of the historical config (or mis-config) of the 4.x boxes I wanted to set the 5.1 boxes up from scatch.

So the 5.1 boxes are licenced, have been added to the AD Domain and have 1 test device (an ASA) configured to use them.  I have already been able to get a successul login to the ASA but here comes the crunch - Anyone with an AD account can log in.

Before I get a load of 'RTFM' response, I have read the manual, all 680 odd pages, once through.  I am struggling a little with the new terminology as I have used 4.x for so long it is all a little different.  I know 4.x has short falls and I think 5.1 addresses these but I am struggling with the basics.

So from the section where I have connected to the AD domain I have pulled out a couple of AD groups I want to use when creating rules for access.  These are listed in the AD groups section.

The problem is when I create the service policy either simple or rule based, I cannot seem to be able to choose an AD group in order to limit authentication to just this group.

I am sure I am missing something fundamental and ask for a gental prod in the right direction.

Many thanks in advance for your assistance


Cisco Employee

Re: Help Needed: ACS 5.1 AD Group Mapping

You need to create conditions in the authoirzation policy that use these groups similar to the following to allow users in group "abc" acess to the system:

1) Add a column for a condition based on AD user groups: Press "Customize" and select the "AD1:ExternalGroups" attribute as a selected condition and press OK

2) Create a new rule by pressing "Create" in the policy page. Check the "AD1:ExternalGroups", press the select option and then select the group "abc". The shell profile selected as the result should be "PermitAccess" (default result). Press "OK" to save the rule

3) On main policy page check the box next to default and press "Edit". Select the "Deny Access" profile as default rule result

Press "Save Changes" to save the new policy.

Now all users that are in group "abc" will be permitted access and all other users denied

Note there are two possible operators used for operations on external groups that have significance when match on multiple groups:

  • Contains ANY: Any one of the listed groups must match for rule to be matched
  • Contains ALL: All of the listed groups must match for the rule to be matched
CreatePlease login to create content