ACS AAA problem with VPN

Unanswered Question
Jun 15th, 2010
User Badges:

I am having a problem with trying to prevent access from particular users trying to come in via VPN.  We have ACS 4.2.0 build 124 patch 4 serving as a link between our ASA's and MS AD.  The users are supposed to be able to be in the RAS Group which is mapped to the VPN user group in ACS.  We have tried removing the user from the AD RAS group and waited about 15 minutes before trying to remote in as the user.  We could still get in.  According to the reports I looked at from ACS, it thinks the user is still in the VPN group in ACS which is mapped only to the RAS group in AD.

The only way I have found to keep the user from coming in is to either disable their account via ACS or have the helpdesk folks go into AD and disable the account there.  Dont really want to let the help desk folks into ACS to disable accounts there.  The end result is that we want to disable remote access only while leaving the account active which would require the particular folks to come into the office to do what needs to be done.

Everything I see points to a problem between ACS and AD.  I have been looking for troubleshooting docs but havent found anything so far.

We are going to move to ACS 5.1 but ran into significant problems with the migration utility which TAC indicates wont be fixed for some time (if ever).

This means that we need to get this fixed with ACS 4.2.

Any suggestions would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ronald Nutter Thu, 06/17/2010 - 12:38
User Badges:

Yes I did.

I wasnt the one who setup this system, so if something is wrong, I might not catch the problem.  I am going through the GUI again and will see what I can find in the documentation.


Nick Egloff Wed, 06/16/2010 - 15:48
User Badges:

Ron -

I've seen this problem before where the ACS "learns" about the user and stores a copy locally on the ACS server of the user record mapping and stores it in the "User Setup".

Did you check to see if the user existed in the user database, by going to "User Setup" and either "Remove Dynamic Users" or search for that specific user and then remove them???

Good luck -


Ronald Nutter Thu, 06/17/2010 - 12:34
User Badges:


Thanks for the ideas.  I did deleted the dynamic user from the ACS server but he was "rediscovered" when I tried to log him back in.

Under the Remote Access Permission, I even have him set to Deny Access.  Guess ACS isnt watching that attribute.  Was hoping that we could use that to Deny them access.

I even have the user removed from the RAS group and he still gets in.  Hopefully I can get this figured out.


Nick Egloff Thu, 06/17/2010 - 13:38
User Badges:

The next thing to check then would be in 2 areas:

One would be under the domain name in the "External User Databases", "Database Group Mapping", "Windows NT/2000", then your Domain name... and see if he's in any other Windows AD groups that also map to that ACS group... If you have a group of VPN-DENIED, then move that to the top and assign that to him then he should "match" that one first.

The second would be in the "External User Databases", "Database Configuration",", Microsoft Windows" then "Change/Configure" (something like that)  there are options there that apply to ALL user mappings that you may want to look through. You may find a solution there, but you need to be careful, because they do apply to all users, so if you require something, it may "break" everyone until you "fix" their accounts to match.



This Discussion