Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.3 and multiple group mappings

I have been using ACS to authenticate VPN users from our ASA5540 for several months with no problems. I map an ACS group "VPN-Users" to a group in AD. I have now created a 2nd group in ACS, "Wireless-PEAP", for wireless PEAP authentication. This groups also maps to a group in AD. I have also applied a NAR to each ACS group, allowing for our ASA to authenticate against the VPN group and our 4400 wlan controllers to authenticate against the PEAP group. The order of the groups is VPN and then PEAP. This works fine when a users is a member of one group or the other, but not both. If one of my wireless users is attempting to authenticate using PEAP and that user is also a member of the VPN group then they fail authenticattion against the VPN group with a message that says "User Access Filtered" in the failed log. I am assuming ACS sees that user in the first group but the NAR denies the 4400 controllers access to the VPN group so the authentication fails. Is there any way around this?


Re: ACS 3.3 and multiple group mappings

CreatePlease to create content