Unanswered Question
May 10th, 2010
User Badges:

Dear all

I have an ACS running 4.2 ver.We have integrated this with AD as well.

We had created some groups in acs for vpn and its is dynamically mapped with respective department.Its working fine know.

We have designed wireless implementation here with dynamic vlan assignment.

This is not working beacause user is already a member of one group in acs.I know that i can edit that group and do the wireless parameter settings.

But i would like to know wheather the user can be a member of multiple group or user will be associated with first  group.

If we have an option for the user to be in a multliple group how can we do this.

If any one has faced this issue pls reply me at the earliest.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kent Heide Mon, 05/10/2010 - 03:51
User Badges:

The ACS will map the user to a group on a first come, first serve basis. This is the behavior or 4.x. On 5.x though you can do nested grouping etc, but if you have to user being allocated the same attributes twice with different values only one of them will be chosen. On 5.x I am not sure if it's the first or the last.

darpotter Mon, 05/10/2010 - 04:21
User Badges:
  • Silver, 250 points or more

Its a bit long winded, but by using multiple Network Access Policies (NAP) in ACS 4.2 you can create specific windows group mappings per NAP.

The NAP is selected dynmically by NAS IP, or NDG or any content within the incoming RADIUS packet. So usually its possible to match on something. NAPs may also have chunks of re-usable RADIUS attributes (Shared Radius Authorisation Components) which can be used instead of setting RADIUS attributes at group level - can reduce the management overhead.

Its not a perfect solution, but should get to where you need to be without having to upgrade.

Facing an ACS audit? Find out how aaa-reports! can help at


This Discussion