Group mapping by external user database, Group mapping by, Group mapping by external user – Cisco 3.3 User Manual
Page 630
Chapter 16 User Group Mapping and Specification
Group Mapping by External User Database
16-2
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
specified by domain, because each domain maintains its own user database. For
Novell NDS user databases, group mapping is further specified by trees, because
Cisco Secure ACS supports multiple trees in a single Novell NDS user database.
In addition to the Database Group Mapping feature, for some database types,
Cisco Secure ACS supports RADIUS-based group specification.
Group Mapping by External User Database
You can map an external database to a Cisco Secure ACS group. Unknown users
who authenticate using the specified database automatically belong to, and inherit
the authorizations of, the group. For example, you could configure Cisco Secure
ACS so that all unknown users who authenticate with a certain token server
database belong to a group called Telecommuters. You could then assign a group
setup that is appropriate for users who are working away from home, such as
MaxSessions=1. Or you could configure restricted hours for other groups, but
give unrestricted access to Telecommuters group members.
While you can configure Cisco Secure ACS to map all unknown users found in
any external user database type to a single Cisco Secure ACS group, the following
external user database types are the external user database types whose users you
can only map to a single Cisco Secure ACS group:
•
ODBC
•
LEAP Proxy RADIUS server
•
RADIUS token server
•
RSA SecurID token server
For a subset of the external user database types listed above, group mapping by
external database type is overridden on a user-by-user basis when the external user
database specifies a Cisco Secure ACS group with its authentication response.
Cisco Secure ACS supports specification of group membership for the following
external user database types:
•
LEAP Proxy RADIUS server
•
RADIUS token server
For more information about specifying group membership for users authenticated
with one of these database types, see