Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
Silver

ACS group mapping

hello

we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.

so we map AD groups to ACS groups and we specify access restriction in ACS groups.

now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.

so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.

however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.

so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACS group mapping

Are the network admins allowed access to the Wireless Network? If yes than you do not need extra servers. Are you using NAPs on the ACS?

5 REPLIES
New Member

Re: ACS group mapping

The group selection will depend on the Group Mappings for the Domain. The group mathching first will be the one applied.

Silver

Re: ACS group mapping

thanks volven

so in this case i cannot use the same ACS server to authenticate network admin to wireless network. isn't it?

can we say that the inly solution is to use a separate acs server for wireless users?

New Member

Re: ACS group mapping

Are the network admins allowed access to the Wireless Network? If yes than you do not need extra servers. Are you using NAPs on the ACS?

Silver

Re: ACS group mapping

i can't see how NAP can resolve my issue.

suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users

AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices

AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)

now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!

if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

New Member

Re: ACS group mapping

Hi,

As i asked in my previous post - If the Network Admins are allowed access to the Wireless Network than you should be fine.

Have the network-admin group on the top of the mappings. Configure thier group also with the airespace and vlan attributes. Additionally you would have to permit this group to access the WLC incase that was restricted by the NAR.


Since i do not know your enviornment I cannot see if there are any limitations or make any other suggestions.

Cheers

Volven

758
Views
5
Helpful
5
Replies
CreatePlease to create content