I have a client that has implemented a CS ACS Solution Engine (appliance). They currently have VPN tunnels that terminate on an ASA and the ACS is providing authentication via an external AD database. I didn't do the install or configuration of the unit and I am new to ACS. There is a group in AD that was created to allow acccess to the VPN and this is working. I have created a second group in AD and a test user. The user account will not authenticate properly when establishing a VPN session. I have checked the ACS agent logs on the AD controller and it is showing that the user is authenticating properly, but it seems that the agent is not forwarding this information back to the ACS. Either that, or the ACS is ignoring it. On the ACS, the error generated is "External DB Account Restriction". I can't find anything specific about this. I verified that the AD account works and can login to a workstation. I verified the account properties for the test account. I think it's related to the group membership. I have a Group in ACS named exactly the same as the AD group and the test account is a member of that group. I'm not sure where to start any help would be appreciated.
You need to map that group from,
External User Databases > Database Group Mapping > Windows Datbase.... section
To a group on ACS, naming ACS group exactly same as Windows AD group does not establish any relationship between them.
I suppose your all other combination in Group mapping is mapped to either "" group, OR to a group that is disabled.
Please ensure that there is proper group mapping on ACS for the new group that you have created on AD.
So you are moving in right direction, issue seems to lie in Group Mapping