Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RSA to ACS to VPN Concentrator group mappings

I'm trying to find a more simplified approach on how to manage my RSA token assigned users for VPN access. This is my first time working with RSA. I want to be able to go to the RSA server and create a user, assign a token, and a group. When I do that I want ACS to dynamicaly assign that user to the same group when they initially authenicate, I've tried with no success. Ultimate goal would be to give them a prepackaged client, assign the token in RSA Ace, and create the groups with restrictions on the ACS. I just need the user to fall into the correct group when they login.

New Member

Re: RSA to ACS to VPN Concentrator group mappings

It is not possible as far as I am aware to dynamically add users to multiple groups. Also be aware that if you change which group users are dynamically added to then users already added will be deleted.

The most efficient way to use this feature would be to choose the group with most users in and apply it to that.

Hope that helps.

New Member

Re: RSA to ACS to VPN Concentrator group mappings

Actually that doesn't really answer my question. Let me try to explain.

I create a user in Human Resources group in ACE server. I want to then go to ACS server and create a group called Human Resources with ACL policy. Obviously I cannot assign this user to the group because he/she does not exist in ACS yet. I want to give the user a VPN client package and thier token. When they log in for the first time I want the ACS server to look up the user in ACE and assign them to the same group that ACE has them in, In this example it's human resources.

New Member

Re: RSA to ACS to VPN Concentrator group mappings

IMHO there is no fixed 1:1 relationship between VPN users and groups in ACS. At least for VPN group locking the group assignment in the ACS user dialog does not do "group locking". If you do not make further restrictions (NAR etc.), other users (for example dial in users) could be used for VPN authentication and so on.

But you can lock your VPN users by using the Radius attribute 025, for example


Maybe this group locking will assign the ACE user to the right group when you have the chance to set up this radius attribute in the ACE user database. I do not know if this can be done.

If you can define your own attributes in ACE (and ACS will fetch this informations from ACE): Perhaps there are other attributes which may be helpful if 025 does not help.


states, that SecurID database isn't able to provide a per user defined ACS group assignment...