Radius-based group specification – Cisco 3.3 User Manual
Page 642
Chapter 16 User Group Mapping and Specification
RADIUS-Based Group Specification
16-14
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Cisco Secure ACS displays the Token-to-User-Group Mapping page for the NAC
database you selected.
Step 4
For each SPT, follow these steps:
a.
From the User Group list, select a group or, if you want to deny access, select
the <No Access> option, which is the default selection.
When the result of posture validation is the SPT listed to the left of the User
Group list, Cisco Secure ACS sends to the AAA client the authorizations
associated with the selected group.
b.
(Optional) In the PA User Message box, type a message that the NAC client
can show the user of the computer running the NAC client.
Note
Whether the NAC client displays messages depends upon the
configuration and design of the NAC client.
Step 5
Click Submit.
Cisco Secure ACS saves the SPT-to-user-group mapping.
RADIUS-Based Group Specification
For some types of external user databases, Cisco Secure ACS supports the
assignment of users to specific Cisco Secure ACS groups based upon the
RADIUS authentication response from the external user database. This is
provided in addition to the unknown user group mapping described in
Mapping by External User Database, page 16-2
. RADIUS-based group
specification overrides group mapping. The database types that support
RADIUS-based group specification are as follows:
•
LEAP Proxy RADIUS server
•
RADIUS token server
Cisco Secure ACS supports per-user group mapping for users authenticated with
a LEAP Proxy RADIUS Server database. This is provided in addition to the
default group mapping described in