beautypg.com

Radius-based group specification – Cisco 3.3 User Manual

Page 642

background image

Chapter 16 User Group Mapping and Specification

RADIUS-Based Group Specification

16-14

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Cisco Secure ACS displays the Token-to-User-Group Mapping page for the NAC
database you selected.

Step 4

For each SPT, follow these steps:

a.

From the User Group list, select a group or, if you want to deny access, select
the option, which is the default selection.

When the result of posture validation is the SPT listed to the left of the User
Group list, Cisco Secure ACS sends to the AAA client the authorizations
associated with the selected group.

b.

(Optional) In the PA User Message box, type a message that the NAC client
can show the user of the computer running the NAC client.

Note

Whether the NAC client displays messages depends upon the
configuration and design of the NAC client.

Step 5

Click Submit.

Cisco Secure ACS saves the SPT-to-user-group mapping.

RADIUS-Based Group Specification

For some types of external user databases, Cisco Secure ACS supports the
assignment of users to specific Cisco Secure ACS groups based upon the
RADIUS authentication response from the external user database. This is
provided in addition to the unknown user group mapping described in

Group

Mapping by External User Database, page 16-2

. RADIUS-based group

specification overrides group mapping. The database types that support
RADIUS-based group specification are as follows:

LEAP Proxy RADIUS server

RADIUS token server

Cisco Secure ACS supports per-user group mapping for users authenticated with
a LEAP Proxy RADIUS Server database. This is provided in addition to the
default group mapping described in

Group Mapping by External User Database,

page 16-2

.