I did the ACS integration on LMS 3.1.
Our ACS version is 4.1.
All looks fine I think, but the problem is that all users which are configured on the ACS have access to the LMS now!
The users I didn't configure for LMS have access, but can't do anything because of missing rights.
But I want to configure, that only special users have access to the LMS portal and not all!
Thanks for helping!
If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.
To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.
If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:
AAA Client Port Address
NDG:LMS Servers * *
This will completely disable the user from being able to login to LMS.