ACS/AD/Wireless

Unanswered Question
Apr 4th, 2010

hello

we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.

so we map AD groups to ACS groups and we specify access restriction in ACS groups.

now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.

so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.

however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.

so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rodrigo Gurriti Mon, 04/05/2010 - 08:02

Its all about the Groups and the maps.

You can create groups that will be used to authenticate and authorize the Admins to your devices.

Create a new group with a new map to a different group.

Lets say that you have 2 groups:

Router-Switches - authenticates and gives the authorization, like commands allows etc

WIFI - authenticates and  authorize it can put them on their vlans etc

You can do the following map:

router-switch --> ADMINISTRATORS (AD)

WIFI --> USERS - ADMINISTRATORS (AD)

Also take a look at this docs

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

http://www.ciscosystems.lt/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

I hope it helps

Actions

This Discussion