Support User Manuals

Cisco Systems Servers Server User Manual

Open as PDF

of 654

Chapter 12 Administering External User Databases

Database Group Mappings

12-14

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

starts at the top of the list of group mappings for that database. Cisco Secure ACS

checks the user’s group memberships in the external user database against each

group mapping in the list sequentially. Upon finding the first group set mapping

that matches the user’s external user database group memberships,

Cisco Secure ACS assigns the user to that group mapping’s Cisco Secure ACS

group and terminates the mapping process.

Clearly, the order of group mappings is important because it affects the network

access and services allowed users. When defining mappings for users who belong

to multiple groups, make sure they are in the correct order so that users are granted

the correct group settings.

For example, a user, Mary, is assigned to the three-group combination of

Engineering, Marketing, and Managers. Mary should be granted the privileges of

a manager rather than an engineer. Mapping A assigns users who belong to all

three of Mary’s groups to Cisco Secure ACS Group 2. Mapping B assigns users

who belong to the Engineering and Marketing groups to Cisco Secure ACS

Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a

user of Group 1, and she is be assigned to Group 1, rather than Group 2 like

managers should be.

No Access Group for Group Set Mappings

To prevent remote access for users assigned a group by a particular group set

mapping, assign the group to the Cisco Secure ACS No Access group. For

example, you could assign all members of an external user database group

“Contractors” to the No Access group so they could not dial in to the network

remotely.

Default Group Mapping for Windows NT/2000

For Windows NT/2000 user databases, Cisco Secure ACS includes the ability to

define a default group mapping. If no other group mapping matches an unknown

user authenticated by a Windows NT/2000 user database, Cisco Secure ACS

assigns the user to a group based on the default group mapping.

Configuring the default group mapping for Windows NT/2000 user databases is

the same as editing an existing group mapping, with one exception. When editing

the default group mapping for Windows NT/2000, instead of selecting a valid

domain name on the Domain Configurations page, select \DEFAULT.

previous next