I've just upgraded to ACS 4.1 and am using a Network Access Profile (NAP) to ensure wireless users are authenticated against a Windows AD only (we had issues with overlapping user names for token-based access to other systems). I've had to add the internal database to the sequence of databases searched for this NAP to permit statically configured infrastructure AP credentials (in the ACS internal database) to be used to allow APs to authenticate to a WLSM.
All of this works, but I'm struggling to understand some entries in the user list (see attached JPEG) which shows the internal user, and an uneditable copy of that user which appears to have been used by the NAP. It just looked odd the first time I saw it, and I can't find any documentation which explains the interpretation of the Network Access Profile field in the user list.
Its purely down to how NAP was implemented. In ACS v3.x a user could only be in one group at a time (even with dynamic mapping) and have one password type (either set by ACS admin or the first time an unknown user was authenticated)
With NAP in 4.x they got around this by creating multiple database entries for each user - one for each NAP.
Its perhaps a bit cludgy and the net result is that you might see the sames users listed multiple times.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...