I am working with ACS 5.2 and using Radius authentication for vpn client.
The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
15039 Selected Authorization Profile is DenyAccess
The message is because match the default policy.
Another user in the same AD group works fine.
All domain in the forest have trust relation each other.
I am using universal groups to include users from all domain belongs this forest.
Can anyone help me?
is your authentication rule matching against a single AD group?
You can check which groups were retrieved for the user as follows:
- goto "Monitoring and Troublshooting"
- select Authentications - RADIUS - Today
- Find the entry that did not match and click on the details icon
- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there