06-26-2006 12:13 PM - edited 02-21-2020 02:30 PM
15,000 student accounts on active directory, single domain, Win2003.
3,000 staff accounts.
Staff should access VPN and Wireless.
Students should access Wireless only.
Cisco VPN 3000 Concentrator.
Cisco Wireless Access Points, LEAP, (going to migrate to Aruba in the future).
ACS 3.x
Problem:
On Active Directory, option I need to keep option "Allow dial-in" on Student accounts set to "Allow". That way students can access wireless. The problem is that would let users launch a Cisco VPN client and connect to our corporate network. I want to restrict that for students.
How can I solve this situation ?
06-26-2006 12:20 PM
Add a new feild in your AD for each service. Onefor wireless and one for VPN. Map those two field to groups in your ACS server. Restric access with Calling device ID(NAR) in each ACS group.
Adding a feild for each service give you the flexibility to handle wierd case...like a student employe.
06-27-2006 07:19 AM
Thanks.
Can you elaborate a little more on the "Map those two field to groups in your ACS server".
Are you saying that I should create an AD attribute named "wireless" and "vpn" or perhaps you meant I should create a security group in Active Directory "Wireless" and "VPN" and then make ACS recognize those groups ?
I am new to ACS so if you can point out a documentation on how to make ACS work with Active Directory groups, that would help. I will research more on this ACS<->AD groups.
Thanks again !
Also, I
06-27-2006 10:29 AM
I'm do not manage the AD for my university but my AD manager knew what to do on the AD...
1.You must have two at least two network device group associated with wireless and vpn.
2.Create a minimum of two ACS group, one for Student and one for staff. (or one wireless,vpn,wireless+vpn,none)
Configure the access device allowed in this group using the
"Per Group Defined Network Access Restrictions " menu.
3. Map the ACS group to the AD defined group in the external database group mapping utility. Begin with the more specific group, end with the less specific. The mapping work with "and" statements.
If Member of AD group wireless and vpn then map to ACS group wireless+vpn
Make a few test, there not a lot of doc on this but it works well
06-26-2006 12:26 PM
Can you restrict this using ACL at vlan interface?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: