I am having a problem with trying to prevent access from particular users trying to come in via VPN. We have ACS 4.2.0 build 124 patch 4 serving as a link between our ASA's and MS AD. The users are supposed to be able to be in the RAS Group which is mapped to the VPN user group in ACS. We have tried removing the user from the AD RAS group and waited about 15 minutes before trying to remote in as the user. We could still get in. According to the reports I looked at from ACS, it thinks the user is still in the VPN group in ACS which is mapped only to the RAS group in AD.
The only way I have found to keep the user from coming in is to either disable their account via ACS or have the helpdesk folks go into AD and disable the account there. Dont really want to let the help desk folks into ACS to disable accounts there. The end result is that we want to disable remote access only while leaving the account active which would require the particular folks to come into the office to do what needs to be done.
Everything I see points to a problem between ACS and AD. I have been looking for troubleshooting docs but havent found anything so far.
We are going to move to ACS 5.1 but ran into significant problems with the migration utility which TAC indicates wont be fixed for some time (if ever).
This means that we need to get this fixed with ACS 4.2.
Any suggestions would be appreciated.