11-03-2006 10:42 AM - edited 03-10-2019 02:49 PM
I add "Testuser" to my active directory security group "DomanWireless" and I see on ACS the respective user is mapped accordingly and get authenticated as "Group Name=ACSWireless".
If I remove the user from "ACSWireless", user defaults to "Default" group.
Then I go to ACS, "Group Setup", Edit "Default" group settings. I go to "Per Group Defined Network Access Restrictions". I check "Define IP-based access restrictions". I pick "Table Defines=Denies Calling Point of Acess Locations". I input "All AAA Clients POrt=* Address=*". I click "Submit + Restart".
I attempt to login and I am successful.
What am I missing ? I want to let only users members of DomainWireless group login via wireless, and deny access to people who are not member of that group.
11-06-2006 06:46 AM
Easy... wrong type of NAR.
IP based are for L3 - ie telnet etc and mostly used just for TACACS+ device admin.
You need to use CLI/DNIS style NARs for a L2 session. Content is largely the same - make it deny and put *'s in for everything.
Darran
11-06-2006 11:21 AM
Yes, that did it !
That tells me that similarly, I should only configure permit NAR's using the CLI/DNIS type for the respective devices.
Thanks a lot !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: