Hi everyone, I'm having a wierd ACS problem for AD group mapping.
The ACS is for a institution, and one student account in AD will belong to one of the following groups
All students in IST
All students in ASC
All students in ENG
All students in DES
All students in BUS
And I mapped these AD groups to ACS groups ISTSTU, ASCSTU, ENGSTU, DESSTU and BUSSTU correspondingly, and after these mappings, all the others will map to a group called NON-MATCH.
Now the customer found that a few students who are properly grouped in the AD will be mapped to the NON-MATCH group in the ACS. We rechecked the AD grouping and the ACS group mapping and found no problem. Anybody can give me a hint on how to troubleshoot this problem? Thanks.
This might be an issue with Database synchronization in the ACS or issue with external database.You can use the Database Group Mapping feature in the External User Databases section to associate unknown users with an ACS group for the purpose of assigning authorization profiles. For external user databases from which ACS can derive group information, you can associate the group memberships, which are defined for the users in the external user database, to specific ACS groups. For Windows user databases, group mapping is further specified by domain; because each domain maintains its own user database.Check agai for the mapping configuration of ACS using the configuration guide present in the following url:
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless.
Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain
to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is
looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and
that is mapped to ACS group 1 and it is first configured mapping it will be looked for
FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure
group 1 and NO further Mappings for this user is checked and user is authenticated or
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin
group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2
and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are
they getting mapped to.
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not
wireless or RouterAdmin devices you would need to apply NARs to group 1 because
NetworkAdmin users are connecting to that group. Which you will permit Access on group
basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP
based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3
groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because
that is the first group he appears in, even if there is a NAR configured assigning
specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Here I also enclose the links connected to group mapping in the user guide:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...