I've got some problems with NAR's in ACS 4.2
I have got two AD groups: 1=Wired Users, 2=Wireless Users
Wired USers = ACS group 10, Wireless Users = ACS group 20.
I want to put wired users via 802.1x in VLAN 10 on the access switches.
I want to put wireless users via 802.1x in VLAN 20 on WLC's.
A laptop is member of both AD groups (can work wired and wireless)
Problem is that user is altways authenticated in ACS group 10, because that's the first match. With AAA override, the user will always be placed in VLAN 10.
I tried to make a NAR (ip based, also tried CLI/DNIS) that permits only ip address of switches to access ACS group 10 for wired users and a NAR to permit only access from WLC and specific SSID to access ACS group 20.
When latop is wired, everything is ok, authentication is in ACS group 10, VLAN 10.
When laptop is wireless, it goes wrong. Authentication is still in ACS group 10, but fails because of NAR.
I would like the ACS to skip ACS group 10 by NAR, but continue authentication in Group 20 to correctly assign VLAN information.
How can this be achieved ?
In this case you need to set up NAP "Network Access Profile". Here you will define that if requests comes from WLC, it should be mapped to wireless user group and if it comes from wired it should go to wired group.
Check this link,
You need to Add profile, in the filter option choose you NAS IP address (WLC).
Then you need to set up a RAC in shared profile components, using IETF attribute no.81 (vlan number).
Finally in nAP you need to set up Authorization , choose group and map it to the RAC.
Do rate helpful posts