I've got two groups of users. Wireless, which maps to all users in the AD, and VPN, which only maps to a single AD group. I want to authenticate both groups through ACS. I've setup two shared NAR profiles. One, named VPN allows RADIUS requests from the ASA and the other, named WLAN allows RADIUS auth requests from the wireless controller.
The problem I'm having is the ordering of the authentication. If I order the wireless AD mapping first in database group mappings then everyone can login to the WLAN and the VPN which is not what I want. If I put the VPN group map first than the VPN users get mapped to the correct group but you can only log into the WLAN if you are in the VPN group.
I'd like ACS to try the next group if it doesn't find a user in the first group. Is this possible? Is there another option that I haven't considered? I'm running ACS 3.2.
Thanks for any help.