I have been using ACS to authenticate VPN users from our ASA5540 for several months with no problems. I map an ACS group "VPN-Users" to a group in AD. I have now created a 2nd group in ACS, "Wireless-PEAP", for wireless PEAP authentication. This groups also maps to a group in AD. I have also applied a NAR to each ACS group, allowing for our ASA to authenticate against the VPN group and our 4400 wlan controllers to authenticate against the PEAP group. The order of the groups is VPN and then PEAP. This works fine when a users is a member of one group or the other, but not both. If one of my wireless users is attempting to authenticate using PEAP and that user is also a member of the VPN group then they fail authenticattion against the VPN group with a message that says "User Access Filtered" in the failed log. I am assuming ACS sees that user in the first group but the NAR denies the 4400 controllers access to the VPN group so the authentication fails. Is there any way around this?
I have this problem too.