acs & restrictions

Unanswered Question
May 4th, 2007

Hi..

Im trying to understan the way acs working with group maping to Active Directory.

What i wan to achive is

1- to have AD group for Wireless users

who are permitet to authenticate and use WLAN

2-to have AD group for VPN users who are permitet to authenticate and use VPN

3-To have AD group for Switch Admin who are permitet to authenticate and manage LAN switches.

For exmeple Some users members i vpn group need as well be member of wireless group in AD..

Is that posible to have? or do i need to setup additionl ACS server for each

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jhillend Mon, 05/07/2007 - 12:45

First, you will need to have ACS 4.0 or above.

Next, you need to set up group mapping for AD with the following:

AD group wireless = W

AD group VPN = V

AD group Switch mgmt = S

ACS group 1 = W V S

ACS group 2 = W V

ACS group 3 = W S

ACS group 4 = V S

ACS group 5 = W

ACS group 6 = V

ACS group 7 = S

These MUST be set up in the described order.

Note - for 3 non-exclusive AD groups you need to configure 7 ACS groups. This problem will be alleviated in ACS 5.x

Now, in each ACS group mapped with W have a NAR that permits access to the wireless devices, V with a NAR that permits access to VPN devices and S with a NAR that permits access to the switches, such that:

ACS group 1: NAR_w, NAR_v, NAR_s

ACS group 2: NAR_w, NAR_v

and so on.

aram_galestian Tue, 05/08/2007 - 08:48

Thanks for very good answer im running acs 4.1 wich raise some other questions for me.. :)

1- What will happen if i would apply the Downloadle ACL i would have only for vpn users on

ACS group 1 = W V S

2- Do you know when the version 5.0 will be released..

Actions

This Discussion