Group connection between Cisco switch and ACS server

Unanswered Question
Nov 24th, 2008


My name is Ceriel Roland and I have a small problem:

We are using Cisco 3560 Switches with 12.2(44)SE2 IOS.

These switches are dot1x enabled with the ACS server.

Computers are authenticated trough certificates and it all works fine.

We also want to enable login with ACS server, but we dont want all users to have access.

Only the group AD_Admins needs to have access.

I created the group and added users.

On the switch I entered the command:

aaa authentication login AD_Admins local group radius

But the users cant login to the switch.

If i change the command to:

aaa authentication login default local group radius

Then users can login, but ALL users can login and i only want AD_Admins to be able to login.

How can i set this up for it to work?


Ceriel Roland

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
CerielRoland Mon, 11/24/2008 - 06:46

Hi Collin,

I tried it but the problem is that the ACS server also allows clients to authenticate trough dot1x.

If i adjust that setting, the users cant use the network anymore.

I also tried to achieve it trough Network Access Profiles to allow clients to communicate trough Radius and allow users to login with TACACS, but i cant define TACACS access in the NAP's.




This Discussion