ACS - "Default" group still lets people log in via wireless

news2010a · ‎11-03-2006

I add "Testuser" to my active directory security group "DomanWireless" and I see on ACS the respective user is mapped accordingly and get authenticated as "Group Name=ACSWireless".

If I remove the user from "ACSWireless", user defaults to "Default" group.

Then I go to ACS, "Group Setup", Edit "Default" group settings. I go to "Per Group Defined Network Access Restrictions". I check "Define IP-based access restrictions". I pick "Table Defines=Denies Calling Point of Acess Locations". I input "All AAA Clients POrt=* Address=*". I click "Submit + Restart".

I attempt to login and I am successful.

What am I missing ? I want to let only users members of DomainWireless group login via wireless, and deny access to people who are not member of that group.

darpotter · ‎11-06-2006

Easy... wrong type of NAR.

IP based are for L3 - ie telnet etc and mostly used just for TACACS+ device admin.

You need to use CLI/DNIS style NARs for a L2 session. Content is largely the same - make it deny and put *'s in for everything.

Darran

news2010a · ‎11-06-2006

Yes, that did it !

That tells me that similarly, I should only configure permit NAR's using the CLI/DNIS type for the respective devices.

Thanks a lot !