ACS user auth with NAR

Unanswered Question
Jun 2nd, 2010
User Badges:

I've got two groups of users. Wireless, which maps to all users in the AD, and VPN, which only maps to a single AD group. I want to authenticate both groups through ACS. I've setup two shared NAR profiles. One, named VPN allows RADIUS requests from the ASA and the other, named WLAN allows RADIUS auth requests from the wireless controller.

The problem I'm having is the ordering of the authentication. If I order the wireless AD mapping first in database group mappings then everyone can login to the WLAN and the VPN which is not what I want. If I put the VPN group map first than the VPN users get mapped to the correct group but you can only log into the WLAN if you are in the VPN group.

I'd like ACS to try the next group if it doesn't find a user in the first group. Is this possible? Is there another option that I haven't considered? I'm running ACS 3.2.

Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Thu, 06/03/2010 - 19:29
User Badges:
  • Cisco Employee,

Looks like users are part of both the groups and this is actually the default behaviour everytime ACS see that user is a part of first group in sequence it let the user fall in that group and will never check the next group mapping in sequence.

There is a feature called NAP, that could be quite useful. But that was introduced in ACS 4.x, you can't avail it in ACS version 3.2. NAP allow classification of access requests based on device belonging to a network device group, protocol, or other RADIUS attributes sent by the device the user is connecting through. In addition, authentication, access control, posture validation, and authorization policies can be mapped to profiles.Unfortunately, On this version ACS 3.2, we can't do anything.

You need to upgrade to 4.x



Do rate helpful posts-


This Discussion

Related Content