Chapter12 Admin istering Extern al User Databases
Database Group Mappings
12-14
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
starts at the top of the list of group mappings for that database. Cisco Secure ACS
checks the user’s group memberships in the external user database against each
group mapping in the list sequentially. Upon finding the first group set mapping
that matches the user’s external user database group memberships,
Cisco Secure ACS assigns the user to that group mapping’s Cisco Secure ACS
group and terminates the mapping process.
Clearly, the order of group mappings is important because it affects the network
access and services allowed users. When defining mappings for users who belong
to multiple groups, make sure they are in the correct order so that users are granted
the correct group settings.
For example, a user, Mary, is assigned to the three-group combination of
Engineering, Marketing, and Managers. Mary should be granted the privileges of
a manager rather than an engineer. Mapping A assigns users who belong to all
three of Mary’s groups to Cisco Secure ACS Group 2. Mapping B assigns users
who belong to the Engineering and Marketing groups to Cisco Secure ACS
Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a
user of Group 1, and she is be assigned to Group 1, rather than Group 2 like
managers should be.
No Access Group for Group Set MappingsTo prevent remote access for users assigned a group by a particular group set
mapping, assign the group to the Cisco Secure ACS No Access group. For
example, you could assign all members of an external user database group
“Contractors” to the No Access group so they could not dial in to the network
remotely.
Default Group Mapping for Windows NT/2000 For WindowsNT/2000 user databases, Cisco Secure ACS includes the ability to
define a default group mapping. If no other group mapping matches an unknown
user authenticated by a Windows NT/2000 user database, Cisco Secure ACS
assigns the user to a group based on the default group mapping.
Configuring the default group mapping for WindowsNT/2000 user databases is
the same as editing an existing group mapping, with one exception. When editing
the default group mapping for WindowsNT/2000, instead of selecting a valid
domain name on the Domain Configurations page, select \DEFAULT.