In ACS we setup several groups: Internet-only, VPN-only and Internet-VPN. Users are then placed into these groups according to group-mapping from Windows AD. This has been working as designed for years. Now we upgrade to ACS 4.0 and there is a problem. It seems as if our Internet group from AD is not being recognized by ACS. If a user is only in the AD internet group, ACS places them in no access. If a user is in the internet group and a VPN group they are placed in VPN-only group. If a user is only in a VPN group they are correctly placed in VPN-only. If I setup a new group mapping, I see the Internet group in the list of AD groups. Does ACS 4.0 recognize all AD groups whether they are global or local when it come to authenticating and classifing users? I ask this because the VPNgroups are global groups and the Internet group is not, but that did not matter before.
Not that I am aware. If we fall back to ACS 3.3 all works fine. If I create another group mapping (in ACS 4.0)using only global groups it works find. I make another group mapping using a local group, the same thing happens.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...