Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.2 and group mapping to multiple user groups in W2k AD


I am trying to do the following configuration with the ACS 3.2 and a Windows 2K AD domain as External User Database.

Let's say I'm just using one Win2K AD domain (say, DOMAIN A) as the External User Database. I have four user groups in Active Directory say "vpnadmin", "vpnuser", "mgmtadmin" and "wlanuser". I want only users in these groups to be authenticated through the ACS server. Authentication attempts by all other users/groups should be denied. What I want is that user groups "vpnadmin" and "vpnuser"should only communicate requests from the VPN Gateway device and should not accept requests from any other AAA clients. Group "mgmtadmin" is used to authenticate admin users on the switches, routers, etc. The last group "wlanusers" is to authenticate users using 802.1x/ LEAP authentication for wireless communication.

My main requirement is that these above mentioned groups should only be able to authenticate on their respective devices and attempts to authenticate with the credentials of any other groups should not be possible.

Two of the devices in use as Nortel based devices such as Contivity VPN gateway & Baystack switch and the AP is Cisco. Therefore, RADIUS (IETF) defined as client type for nortel devices and TACACS+ defined for AP.

These are the actions that I did and the results :

- 3 AAA clients defined, one each for VPN gateway, wireless AP and Management IP of one of the switches.

- Defined DOMAIN A's AD as the external user database. (the four above mentioned groups already exist in the Active Directory). Check for "Dial-In" user attribute in user profile also activated.

- Mapping of the for AD groups done to four local groups on the ACS. " All other combinations" and the "Default" group are mapped to the <No Access> value.

- Required RADIUS attribute values defined per group.

I noticed that using my VPN client, when I try to authenicate users from the "vpnadmin" and "vpnuser" groups, they successfully authenticate and are provided the right VPN profiles by the VPN gateway device based on RADIUS attributes defined for the respective groups. But I also notice that users from the "WlanUser" and "Mgmtadmin" groups can also authenticate on the VPN gateway. Please correct me if I am wrong, but I presume this is happening because the ACS server is only doing its job by validating the RADIUS requests and since the users in the "wlanuser" and "mgmtadmin" groups are valid users in the AD, and because there are mappings for these groups in the ACS, they are being authenticated. Is there anyway that I can restrict only requests from the VPN gateway to be checked against the "vpnadmin" and "vpnuser" groups, the "wlanuser" group with the AP and the "mgmtadmin" group with the switch management. Groups other than the ones meant to communicate with the specific d

Kindly advise if this is possible. Any kind of work-arounds or solutions for the same would be highly appreciate as I'm in a bit of a fix with this problem now.

For your information, I have already tried configuring the "Network Access Restriction (NAR)" options in the ACS group configurations but the AAA clients don't seem to about the parameters. I think it is because the Nortel devices may not be completely be understanding the NAR attributes and so they ignore them. This has also been documented (briefly) in the Nortel documentation which states that this feature only works with devices that completely support all the related RADIUS attributes.

Thanks and Regards


Cisco Employee

Re: ACS 3.2 and group mapping to multiple user groups in W2k AD

Using NAR is the way to go here. Basically in your vpnadmin and vpnuser ACS groups you define that they can only authenticate requests coming from your VPN device. Similarly with the wlanuser group and your AP. For the mgmt group you don't define any NAR and they'll be able to authenticate against any device (even set priv-lvl to 15 and they'll come in straight into enable mode on the rtr's and switches).

You might have gotten the NAR config messed up. I know when using NAR and defining a VPN3000 device you have to add it into the "CLI/DNIS-based access restriction" section, not the "IP-based access restriction", so the Nortel devices may need the same thing. Just make sure the table defines the "permitted calling points", then add the VPN devices, and authentication requests from any other NAS will be rejected.

FYI, CLI/DNIS based NARs are used unless the "caller-id" or "calling-station-id" attribute in the Radius request contains an IP address, then IP-based NAR's are used instead. The VPN3000 doesn't even use the caller-id attribute, which is why you have to define it in the CLI-DNIS section, I'm taking a guess that the Nortel VPN devices may do the same thing.

New Member

Re: ACS 3.2 and group mapping to multiple user groups in W2k AD


Thanks..It did the trick and I can now filter requests based on devices.I added the devices to the CLI/DNIS-based access restriction section and it started filtering. It is a bit surprising that this bug-like issue is not defined atleast in the release-notes for the ACS.

Thanks and Regards


CreatePlease to create content