Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
3
Replies

ACS 5.1 group mapping with AD

pemasirid
Level 1
Level 1

‎12-08-2010 02:07 PM - edited ‎03-10-2019 05:38 PM

Hi,

I have issue with AD group mapping with local ACS (5.1). The issue is that it is able to authenticate any users in the AD eventhough I have a map with local ACS group to a particular group of the AD.

here is my config:

1. Add two group of AD to Directory Group in the Active Directory section of ACS

2. in the Default Device Admin

   - Identity: AD1

   -group mapping: AD1:ExternalGroup (AD groupname) and Result: identity group: local ACS group

-  Authorization profile:

   identity group: acs local particular group

   NDG:device type: all

   NDG:location: ANY

Can someone explain me what I am missing here..?

Thanks

Labels:
0 Helpful
3 Replies 3

Nate Austin
Cisco Employee
Cisco Employee

‎12-08-2010 03:26 PM

Hi pemasirid,

Can you send a report from the Monitoring and Reporting section of the ACS? Go to that section > Reports > AAA Protocol > TACACS/Radius Authentication (whichever you are using) and click the details icon next to a failed authentication. Send the resulting information.


Also you technically don't need the group mapping at all - you could delete that part and add the AD1:ExternalGroups directly to the access rules by clicking the customize button on that page. That could streamline the configuration a little.

Thanks,

Nate

0 Helpful

pemasirid
Level 1
Level 1
In response to Nate Austin

‎12-08-2010 11:18 PM

Hi Austin,

Many thanks for your response. Actually my issue is not authentication failing, but authenticating non-it users from the IT group which I dont want. (actually, authentiating any users in AD to my devices).

I have attached the TACACS report for passed authentication of non it user. (Before the below changes)

Also I have removed the group mapping and added the AD1:ExternalGroups to under group mapping tap.but still no luck.

Thanks

Preview file
514 KB
0 Helpful

Nate Austin
Cisco Employee
Cisco Employee
In response to pemasirid

‎12-09-2010 07:16 AM

Thanks for the clarification.

So its hitting the rule called "Network Device Authorization" and returning the "Full Access" Shell profile. What are the conditions for that rule? Can you send a screenshot of that page?

Thanks,

Nate

0 Helpful
Customers Also Viewed These Support Documents