Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

User in multiple Windows/ACS Group. One deny one permit

I have multiple groups on ACS each one tied to a group in windows AD.

I have a VPN concentrator and a Wireless Lan controller.

I'm using ACS to authenticate access to both, but I would like some VPN users to have wireless user also, not all of them.

If I use NAR to restrict "VPN users" to access WLC device all the users who has access to VPN is denied access to wireless, even the ones who are in the Wireless group.

Is there anyway to get it working?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: User in multiple Windows/ACS Group. One deny one permit

This is how it works.

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin,

Wireless.

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain

to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1 select the AD group RouterAdmin and map it to ciscosecure group 2

select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is

looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and

that is mapped to ACS group 1 and it is first configured mapping it will be looked for

FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure

group 1 and NO further Mappings for this user is checked and user is authenticated or

rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin

group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2

and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are

they getting mapped to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not

wireless or RouterAdmin devices you would need to apply NARs to group 1 because

NetworkAdmin users are connecting to that group. Which you will permit Access on group

basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP

based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for

routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached username is to go to usersetup find that user and delete it manually.

ACS will not support the following configuration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3

groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because

that is the first group he appears in, even if there is a NAR configured assigning

specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1

A =============> Group 2

B =============> Group 3

C =============> Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.

This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).

You can create a rule for users in group A (Group 2)

You can create a rule for users in group B (Group 3)

You can create a rule for users in group C (Group 4)

Here I also enclose the links connected to group mapping in the user guide:

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm

#wp940485

Regards,

~JG

Do rate helpful posts

2 REPLIES
Hall of Fame Super Blue

Re: User in multiple Windows/ACS Group. One deny one permit

Try creating 3 groups

Wireless only

VPN only

VPN & wireless

Jon

Re: User in multiple Windows/ACS Group. One deny one permit

This is how it works.

Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin,

Wireless.

Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain

to which you are authenticating==Add mapping.

Select the AD group NetworkAdmin and map it to ciscosecure group 1 select the AD group RouterAdmin and map it to ciscosecure group 2

select the AD group Wireless and map it to ciscosecure group 3

Group mappings work in the order in which they are defined, first configured mapping is

looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and

that is mapped to ACS group 1 and it is first configured mapping it will be looked for

FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure

group 1 and NO further Mappings for this user is checked and user is authenticated or

rejected)

Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin

group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2

and 3 respectively as per above mappings.

You can check the mappings on the passed authentications for users as to what group are

they getting mapped to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not

wireless or RouterAdmin devices you would need to apply NARs to group 1 because

NetworkAdmin users are connecting to that group. Which you will permit Access on group

basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.

NOTE:

If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP

based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for

routers and switches.

IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached username is to go to usersetup find that user and delete it manually.

ACS will not support the following configuration:

*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3

groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.

*The user is in all 3 groups however he will always be authenticated by group 1 because

that is the first group he appears in, even if there is a NAR configured assigning

specific AAA clients to the group.

However there if your mappings are in below order...

NT Groups ACS groups

A,B,C =============> Group 1

A =============> Group 2

B =============> Group 3

C =============> Group 4.

You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.

This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).

You can create a rule for users in group A (Group 2)

You can create a rule for users in group B (Group 3)

You can create a rule for users in group C (Group 4)

Here I also enclose the links connected to group mapping in the user guide:

Group mapping order:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm

#wp940485

Regards,

~JG

Do rate helpful posts

205
Views
5
Helpful
2
Replies
CreatePlease to create content