10-31-2007 09:15 AM - edited 07-03-2021 02:51 PM
Hi,
we have the following implementation:
Cisco Access Points mainly 1200 series and 1130, Cisco ACS v.4.1, and MS Active Directory.
I've used a self generated Certificate on the Cisco ACS, and installed it on the local PC, also linked Cisco ACS with AD, with a group mapping for allowing access to WLAN.
I got two group mapping in ACS to two domain group in Active Directory:
ACS -Group 1 = AD -Wifi_student
ACS -group 2 = AD -Wifi_employe
when a user is not in the both domain group(AD) try to authenticate, the user pass the authentification. it suppose to fail. Only the user in the group a alllow to authenticate.
do you think it is a bug of ACS 4.1 ?
do you think it is a misconfiguration of the windows policy ?
do you think to create local group instead domin group
10-31-2007 03:04 PM
Hello,
Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically.
10-31-2007 03:05 PM
Hello,
Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically from the domain in general if the groups fail and maps to the default group policy. (in ACS)
I was able to create a group in AD authenticate to it and set the default behavoir to deny if it did not auth to that group or locally on the ACS server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide