Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User Multiple Active Directory Group Membership Mapping

Hi all,

We got ACS 4.2 and two types of user access to our network :

1_  We got some users in  "CiscoAdmins" Active Directory Group, corresponding mapped Cisco ACS group is "Switch Admins".

2_  We also have some users in "VPN_Users" Active Directory Group, corresponding mapped Cisco ACS group is "VPN_Users".

In "Order mapping" page on Cisco ACS 4.2, we put tte "CiscoAdmins" Active Directory Group Mapping on top of "VPN_Users" Active Directory Group mapping. So what happens is, if a user belongs to both "CiscoAdmins" and "VPN_Users" groups in Active Directory, the users always goes into "Switch_Admins" group in Cisco ACS.

However for some users (who belong  to both groups in Active Directory)  we need to apply some IP assignment and specific authorization.

Any suggestiongs are welcome.

thanks in advance.

Dumlu

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: User Multiple Active Directory Group Membership Mapping

Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

-

Note: Please rate the answer if it helped

4 REPLIES
New Member

Re: User Multiple Active Directory Group Membership Mapping

I see that few users in AD belong to both group, follow the below steps to meet your criteria

Here we assume the two groups on AD are Wireless and VPN 


Please follow the below suggestion:

To achieve this
1.    we can create 3 groups on the ACS (1) Wireless , 2)
        VPN 3) Wireless+VPN,
2.    then in Windows group mapping
  Wireless+VPN (on ACS) MAPs to two groups Wireless on AD and VPN on AD,
then Wireless(ACS) maps to (Wireless on AD),
VPN (ACS) maps to (VPN) on AD,

3) Ensure that the Mapping order should be in the following order:
   1) Wireless+VPN group (on ACS) MAPs to two groups on AD Wireless on AD and VPN on AD.
   2) Wireless(ACS) maps to (Wireless on AD).
   3) VPN (ACS) maps to (VPN) on AD

New Member

Re: User Multiple Active Directory Group Membership Mapping

Hi ,

Thanks for getting back. Havent tried your suggestion so far, but curious, how does it work if I map two different AD groups ("wireless", "vpn" to the same ACS group (wireless+vpn).

I thought when AD sends an authenticaton result message to ACS, it also sends the AD group names which that user belongs to.

So ACS receives that , that specific user is a member of "wireless" , and also member of  "vpn" AD group. Whichever group name ACS reads first, that user should belong to the corresponding ACS group.

But what you are actually saying is if I map a specific ACS group ("wireless+vpn") to two different AD groups, ACS checks the authentication result message from AD server for both group names ?

Am I getting this correct ?

Thanks a lot.

Dumlu

New Member

Re: User Multiple Active Directory Group Membership Mapping

Yes, ACS check for user group membership, and it can determine if user is member of multiple groups and then map it corrosponding ACS group. Few extra material on ACS group mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

-

Note: Please rate the answer if it helped

New Member

Re: User Multiple Active Directory Group Membership Mapping

well apparently I havent done my homework. thanks a lot aneelaka. youve been great help !

Dumlu

1324
Views
0
Helpful
4
Replies
CreatePlease login to create content