Cisco Systems 3.3 Default Group Mapping for Windows , Windows Group Mapping Limitations

Chapter 16 User Group Mapping and Specification

Group Mapping by Group Set Membership

16-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Default Group Mapping for Windows

For Windows user databases, Cisco Secure ACS includes the ability to define a

default group mapping. If no other group mapping matches an unknown user

authenticated by a Windows user database, Cisco Secure ACS assigns the user to

a group based on the default group mapping.

Configuring the default group mapping for Windows user databases is the same

as editing an existing group mapping, with one exception. When editing the

default group mapping for Windows, instead of selecting a valid domain name on

the Domain Configurations page, select \DEFAULT.

For more information about editing an existing group mapping, see Editing a

Windows, Novell NDS, or Generic LDAP Group Set Mapping, page 16-9.

Cisco Secure ACS has the following limits with respect to group mapping for

users authenticated by a Windows user database:

•Cisco Secure ACS can only support group mapping for users who belong to

500 or less Windows groups.

•Cisco Secure ACS can only perform group mapping using the local and

global groups a user belongs to in the domain that authenticated the user.

Group membership in domains trusted by the authenticating domain cannot

be used for Cisco Secure ACS group mapping. This restriction is not removed

by adding a remote group to a group local to the domain providing

authentication.