ACS - "Default" group still lets people log in via wireless

Unanswered Question
Nov 3rd, 2006
User Badges:

I add "Testuser" to my active directory security group "DomanWireless" and I see on ACS the respective user is mapped accordingly and get authenticated as "Group Name=ACSWireless".

If I remove the user from "ACSWireless", user defaults to "Default" group.

Then I go to ACS, "Group Setup", Edit "Default" group settings. I go to "Per Group Defined Network Access Restrictions". I check "Define IP-based access restrictions". I pick "Table Defines=Denies Calling Point of Acess Locations". I input "All AAA Clients POrt=* Address=*". I click "Submit + Restart".

I attempt to login and I am successful.

What am I missing ? I want to let only users members of DomainWireless group login via wireless, and deny access to people who are not member of that group.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Mon, 11/06/2006 - 06:46
User Badges:
  • Silver, 250 points or more

Easy... wrong type of NAR.

IP based are for L3 - ie telnet etc and mostly used just for TACACS+ device admin.

You need to use CLI/DNIS style NARs for a L2 session. Content is largely the same - make it deny and put *'s in for everything.


news2010a Mon, 11/06/2006 - 11:21
User Badges:

Yes, that did it !

That tells me that similarly, I should only configure permit NAR's using the CLI/DNIS type for the respective devices.

Thanks a lot !


This Discussion