12-08-2010 02:07 PM - edited 03-10-2019 05:38 PM
Hi,
I have issue with AD group mapping with local ACS (5.1). The issue is that it is able to authenticate any users in the AD eventhough I have a map with local ACS group to a particular group of the AD.
here is my config:
1. Add two group of AD to Directory Group in the Active Directory section of ACS
2. in the Default Device Admin
- Identity: AD1
-group mapping: AD1:ExternalGroup (AD groupname) and Result: identity group: local ACS group
- Authorization profile:
identity group: acs local particular group
NDG:device type: all
NDG:location: ANY
Can someone explain me what I am missing here..?
Thanks
12-08-2010 03:26 PM
Hi pemasirid,
Can you send a report from the Monitoring and Reporting section of the ACS? Go to that section > Reports > AAA Protocol > TACACS/Radius Authentication (whichever you are using) and click the details icon next to a failed authentication. Send the resulting information.
Also you technically don't need the group mapping at all - you could delete that part and add the AD1:ExternalGroups directly to the access rules by clicking the customize button on that page. That could streamline the configuration a little.
Thanks,
Nate
12-08-2010 11:18 PM
Hi Austin,
Many thanks for your response. Actually my issue is not authentication failing, but authenticating non-it users from the IT group which I dont want. (actually, authentiating any users in AD to my devices).
I have attached the TACACS report for passed authentication of non it user. (Before the below changes)
Also I have removed the group mapping and added the AD1:ExternalGroups to under group mapping tap.but still no luck.
Thanks
12-09-2010 07:16 AM
Thanks for the clarification.
So its hitting the rule called "Network Device Authorization" and returning the "Full Access" Shell profile. What are the conditions for that rule? Can you send a screenshot of that page?
Thanks,
Nate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide