beautypg.com

Default group mapping for windows, Windows group mapping limitations – Cisco 3.3 User Manual

Page 634

background image

Chapter 16 User Group Mapping and Specification

Group Mapping by Group Set Membership

16-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Default Group Mapping for Windows

For Windows user databases, Cisco Secure ACS includes the ability to define a
default group mapping. If no other group mapping matches an unknown user
authenticated by a Windows user database, Cisco Secure ACS assigns the user to
a group based on the default group mapping.

Configuring the default group mapping for Windows user databases is the same
as editing an existing group mapping, with one exception. When editing the
default group mapping for Windows, instead of selecting a valid domain name on
the Domain Configurations page, select \DEFAULT.

For more information about editing an existing group mapping, see

Editing a

Windows, Novell NDS, or Generic LDAP Group Set Mapping, page 16-9

.

Windows Group Mapping Limitations

Cisco Secure ACS has the following limits with respect to group mapping for
users authenticated by a Windows user database:

Cisco Secure ACS can only support group mapping for users who belong to
500 or less Windows groups.

Cisco Secure ACS can only perform group mapping using the local and
global groups a user belongs to in the domain that authenticated the user.
Group membership in domains trusted by the authenticating domain cannot
be used for Cisco Secure ACS group mapping. This restriction is not removed
by adding a remote group to a group local to the domain providing
authentication.