Cisco Wireless Networks, ACS, Syslog-Senders, and AD Groups !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco Wireless Networks, ACS, Syslog-Senders, and AD Groups !

L1 Bithead

Hi,

I've worked out how to recover the User ID, or UID, from a wireless network logon by sending syslog messages from the Cisco Access Control Server, or ACS, to a syslog-sender configured on my firewall.

For wired connections I can recover UID and AD group membership  through the PAN UID Agent and Group Mapping Settings.

But I still can't figure out how to get an AD group membership/mapping for my wireless users.

Wireless users connect via a Cisco wireless controller and their logins are controlled by a Cisco Access Control Server, which uses Windows AD as an external identity store. I have tested a couple of rules and can control access by UID for users connected to the wireless network but I can not use AD User Groups; however, I can use AD User Groups for users connected by wired settings, using standard windows logins, a couple of PAN UID Agents running on VMs, and Device | User Identification | Group Mapping Settings tab | <mapping object | Server Profile & Group Include List >

I'd really appreciate any pointers on how I might get this working; thanks,

Ian

1 REPLY 1

L7 Applicator

Do you get the domain information from the ACS logs or just the user name?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2578 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!