User Guide for Cisco Secure ACS for Windows Server 3.2
User Group Mapping and Specification

Table Of Contents

User Group Mapping and Specification

About User Group Mapping and Specification

Group Mapping by External User Database

Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database

Group Mapping by Group Set Membership

Group Mapping Order

No Access Group for Group Set Mappings

Default Group Mapping for Windows

Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups

Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping

Deleting a Windows, Novell NDS, or Generic LDAP Group Set Mapping

Deleting a Windows Domain Group Mapping Configuration

Changing Group Set Mapping Order

RADIUS-Based Group Specification

User Group Mapping and Specification


This chapter provides information about group mapping and specification. CiscoSecure AccessControlServer (ACS) for WindowsServer uses these features to assign users authenticated by an external user database to a single CiscoSecure ACS group.

This chapter contains the following topics:

About User Group Mapping and Specification

Group Mapping by External User Database

Group Mapping by Group Set Membership

RADIUS-Based Group Specification

About User Group Mapping and Specification

The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups. For Windows user databases, group mapping is further specified by domain, because each domain maintains its own user database. For Novell NDS user databases, group mapping is further specified by trees, because CiscoSecure ACS supports multiple trees in a single Novell NDS user database.

In addition to the Database Group Mapping feature, for some database types, CiscoSecure ACS supports RADIUS-based group specification.

Group Mapping by External User Database

You can map an external database to a CiscoSecure ACS group. Unknown users who authenticate using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure CiscoSecure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1. Or you could configure restricted hours for other groups, but give unrestricted access to Telecommuters group members.

While you can configure CiscoSecure ACS to map all unknown users found in any external user database type to a single CiscoSecure ACS group, the following external user database types are the external user database types whose users you can only map to a single CiscoSecure ACS group:

ODBC

LEAP Proxy RADIUS server

ActivCard token server

PassGo token server

CRYPTOCard token server

RADIUS token server

RSA SecurID token server

SafeWord token server

Vasco token server

For a subset of the external user database types listed above, group mapping by external database type is overridden on a user-by-user basis when the external user database specifies a CiscoSecure ACS group with its authentication response. CiscoSecure ACS supports specification of group membership for the following external user database types:

LEAP Proxy RADIUS server

ActivCard token server

CRYPTOCard token server

RADIUS token server

Vasco token server

For more information about specifying group membership for users authenticated with one of these database types, see RADIUS-Based Group Specification.

Additionally, users authenticated by an ODBC external user database can also be assigned to a specified CiscoSecure ACS group. Group specification by ODBC database authentication overrides group mapping. For more information about specifying group membership for users authenticated with an ODBC database, see ODBC Database.

Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database

To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping.

The Define Group Mapping table appears.

Step4 From the Select a default group for database list, click the group to which users authenticated with this database should be assigned.


Tip The Select a default group for database list displays the number of users assigned to each group.


Step5 Click Submit .

CiscoSecure ACS assigns unknown and discovered users authenticated by the external database type you selected in Step3 to the CiscoSecure ACS group selected in Step4. For users authenticated by an ODBC, CRYPTOCard, Safeword, ActivCard, Vasco, PassGo, or LEAP Proxy RADIUS Server database, the mapping is only applied as a default if those databases did not specify a CiscoSecure ACS group for the user.


Note For more information about group specification for RADIUS token servers, see RADIUS-Based Group Specification. For more information about group specification for ODBC databases, see CiscoSecure ACS Authentication Process with an ODBC External User Database.



Group Mapping by Group Set Membership

You can create group mappings for some external user databases based on the combination of external user database groups to which users belong. The following are the external user database types for which you can create group mappings based on group set membership:

Windows Database

Novell NDS

Generic LDAP


Note Windows user databases are defined by domain name.


When you configure a CiscoSecure ACS group mapping based on group set membership, you can add one or many external user database groups to the set. For CiscoSecure ACS to map a user to the specified CiscoSecure ACS group, the user must match all external user database groups in the set.

As an example, you could configure a group mapping for users who belong to both the Engineering and Tokyo groups and a separate one for users who belong to both Engineering and London. You could then configure separate group mappings for the combinations of Engineering-Tokyo and Engineering-London and configure different access times for the CiscoSecure ACS groups to which they map. You could also configure a group mapping that only included the Engineering group that would map other members of the Engineering group who were not members of Tokyo or London.

Group Mapping Order

CiscoSecure ACS always maps users to a single CiscoSecure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If there are CiscoSecure ACS group set mappings for both these combinations, CiscoSecure ACS has to determine to which group John should be assigned.

CiscoSecure ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user authenticated by an external user database is to be assigned to a CiscoSecure ACS group, CiscoSecure ACS starts at the top of the list of group mappings for that database. CiscoSecure ACS checks the user group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the external user database group memberships of the user, CiscoSecure ACS assigns the user to the CiscoSecure ACS group of that group mapping and terminates the mapping process.

Clearly, the order of group mappings is important because it affects the network access and services allowed to users. When defining mappings for users who belong to multiple groups, make sure they are in the correct order so that users are granted the correct group settings.

For example, a user, Mary, is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer. Mapping A assigns users who belong to all three groups Mary is in to CiscoSecure ACS Group2. Mapping B assigns users who belong to the Engineering and Marketing groups to CiscoSecure ACS Group1. If Mapping B is listed first, CiscoSecure ACS authenticates Mary as a user of Group1, and she is be assigned to Group1, rather than Group2 like managers should be.

No Access Group for Group Set Mappings

To prevent remote access for users assigned a group by a particular group set mapping, assign the group to the CiscoSecure ACS No Access group. For example, you could assign all members of an external user database group "Contractors" to the No Access group so they could not dial in to the network remotely.

Default Group Mapping for Windows

For Windows user databases, CiscoSecure ACS includes the ability to define a default group mapping. If no other group mapping matches an unknown user authenticated by a Windows user database, CiscoSecure ACS assigns the user to a group based on the default group mapping.

Configuring the default group mapping for Windows user databases is the same as editing an existing group mapping, with one exception. When editing the default group mapping for Windows, instead of selecting a valid domain name on the Domain Configurations page, select \DEFAULT.

For more information about editing an existing group mapping, see Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping.

Creating a Cisco Secure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups

To map a Windows, Novell NDS, or generic LDAP group to a CiscoSecure ACS group, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the external user database name for which you want to configure a group mapping.

If you are mapping a Windows group set, the Domain Configurations table appears. If you are mapping an NDS group set, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step4 If you are mapping a Windows group set for a new domain, follow these steps:

a. Click New configuration .

The Define New Domain Configuration page appears.

b. If the Windows domain for which you want to create a group set mapping configuration appears in the Detected domains list, select the name of the domain.


Tip To clear your domain selection, click Clear Selection.


c. If the Windows domain for which you want to create a group set mapping does not appear in the Detected domains list, type the name of a trusted Windows domain in the Domain box.

d. Click Submit .

The new Windows domain appears in the list of domains in the Domain Configurations page.

Step5 If you are mapping a Windows group set, click the domain name for which you want to configure a group set mapping.

The Group Mappings for Domain: domainname table appears.

Step6 If you are mapping a Novell NDS group set, click the name of the Novell NDS tree for which you want to configure group set mappings.

The Group Mappings for NDS Users table appears.

Step7 Click Add Mapping .

The Create new group mapping for database page opens. The group list displays group names derived from the external user database.

Step8 For each group to be added to the group set mapping, select the name of the applicable external user database group in the group list, and then click Add to selected .


Note A user must match all the groups in the Selected list so that CiscoSecure ACS can use this group set mapping to map the user to a CiscoSecure ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to a CiscoSecure ACS group.



Tip To remove a group from the mapping, select the name of the group in the Selected list, and then click Remove from selected .


The Selected list shows all the groups that a user must belong to in order to be mapped to a CiscoSecure ACS group.

Step9 In the CiscoSecure group list, select the name of the CiscoSecure ACS group to which you want to map users who belong to all the external user database groups in the Selected list.


Note You can also select <No Access>. For more information about the <No Access> group, see No Access Group for Group Set Mappings.


Step10 Click Submit .

The group set you mapped to the CiscoSecure ACS list appears at the bottom of the database groups column.


Note The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set.



Editing a Windows, Novell NDS, or Generic LDAP Group Set Mapping

You can change the CiscoSecure ACS group to which a group set mapping is mapped.


Note The external user database groups of an existing group set mapping cannot be edited. If you want to add or remove external user database groups from the group set mapping, delete the group set mapping and create one with the revised set of groups.


To edit a Windows, Novell NDS, or generic LDAP group mapping, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the external user database name for which you want to edit a group set mapping.

If you are editing a Windows group set mapping, the Domain Configurations table appears. If you are editing an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step4 If you are editing a Windows group set mapping, click the domain name for which you want to edit a group set mapping.

The Group Mappings for Domain: domainname table appears.

Step5 If you are editing a Novell NDS group set mapping, click the name of the Novell NDS tree for which you want to edit a group set mapping.

The Group Mappings for NDS Users table appears.

Step6 Click the group set mapping to be edited.

The Edit mapping for database page opens. The external user database group or groups included in the group set mapping appear above the CiscoSecure group list.

Step7 From the CiscoSecure group list, select the name of the group to which the set of external database groups should be mapped, and then click Submit .


Note You can also select <No Access>. For more information about the <No Access> group, see No Access Group for Group Set Mappings.


Step8 Click Submit .

The Group Mappings for database page opens again with the changed group set mapping listed.


Deleting a Windows, Novell NDS, or Generic LDAP Group Set Mapping

You can delete individual group set mappings.

To delete a Windows, Novell NDS, or generic LDAP group mapping, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the external user database configuration whose group set mapping you need to delete.

If you are deleting a Windows group set mapping, the Domain Configurations table appears. If you are deleting an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step4 If you are deleting a Windows group set mapping, click the domain name whose group set mapping you want to delete.

The Group Mappings for Domain: domainname table appears.

Step5 If you are deleting a Novell NDS group set mapping, click the name of the Novell NDS tree whose group set mapping you want to delete.

The Group Mappings for NDS Users table appears.

Step6 Click the group set mapping you want to delete.

Step7 Click Delete .

CiscoSecure ACS displays a confirmation dialog box.

Step8 Click OK in the confirmation dialog box.

CiscoSecure ACS deletes the selected external user database group set mapping.


Deleting a Windows Domain Group Mapping Configuration

You can delete an entire group mapping configuration for a Windows domain. When you delete a Windows domain group mapping configuration, all group set mappings in the configuration are deleted.

To delete a Windows group mapping, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the name of the Windows external user database.

Step4 Click the domain name whose group set mapping you want to delete.

Step5 Click Delete Configuration .

CiscoSecure ACS displays a confirmation dialog box.

Step6 Click OK in the confirmation dialog box.

CiscoSecure ACS deletes the selected external user database group mapping configuration.


Changing Group Set Mapping Order

You can change the order in which CiscoSecure ACS checks group set mappings for users authenticated by Windows, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them. For more information about creating group mappings, see Creating a CiscoSecure ACS Group Mapping for Windows, Novell NDS, or Generic LDAP Groups.

To change the order of group mappings for a Windows, Novell NDS, or generic LDAP group mapping, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Database Group Mappings .

Step3 Click the external user database name for which you want to configure group set mapping order.

If you are ordering Windows group set mappings, the Domain Configurations table appears. If you are ordering NDS group set mappings, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step4 If you are configuring Windows group mapping order, click the domain name for which you want to configure group set mapping order.

The Group Mappings for Domain: domainname table appears.

Step5 If you are configuring Novell NDS group set mapping order, click the name of the Novell NDS tree for which you want to configure group set mapping order.

The Group Mappings for NDS Users table appears.

Step6 Click Order mappings .


Note The Order mappings button appears only if more than one group set mapping exists for the current database.


The Order mappings for database page appears. The group mappings for the current database appear in the Order list.

Step7 Select the name of a group set mapping you want to move, and then click Up or Down until it is in the position you want.

Step8 Repeat Step7 until the group mappings are in the order you need.

Step9 Click Submit .

The Group Mappings for database page displays the group set mappings in the order you defined.


RADIUS-Based Group Specification

For some types of external user databases, CiscoSecure ACS supports the assignment of users to specific CiscoSecure ACS groups based upon the RADIUS authentication response from the external user database. This is provided in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping. The database types that support RADIUS-based group specification are as follows:

LEAP Proxy RADIUS server

CRYPTOCard token server

PassGo token server

Safeword token server

ActivCard token server

Vasco token server

RADIUS token server

CiscoSecure ACS supports per-user group mapping for users authenticated with a LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in Group Mapping by External User Database.

To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:

ACS:CiscoSecure-Group-Id = N

where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:

ACS:CiscoSecure-Group-Id = 37

CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.