Access server authentication issue, we have an AD group called dialinusers, member of this group can dial in to the network with limited access to resources. The access server AS1 will query the ACS server for authentication, ACS will check the user based on UN and PW against groups configured on the ACS server. Dial in user maybe member of more than one group, if so the AS1 will authorize access base on the entries of one of those other groups, this should not happen, AS1 should deny access if dial in user is not a member of the dialinuser group.

The ACS server has group mapping to active directory NT groups, this works fine with VPN if a user logs in under one group but is a member of another group the ACS will assign the user to the correct group after UN and PW are authenticated.

Below is a partial config from AS1 showing the aaa config, ppp dial in user should default to the dialinuser group and allow access based on there local UN and PW only if they are member of dialinusers group. This is not working as it should the issue is dial in user are allowed access based on membership of groups other than dialinusers. Any help on how this AS should be configed would be a great help. Thanks

aaa group server radius dialinusers

server 11.3.223.155 auth-port 1645 acct-port 1646

!

aaa authentication login default group radius enable

aaa authentication login local-only local

aaa authentication ppp default group dialinusers local

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common