We’ve got 4 corporate WLC’s which report back to two ACS servers. Our AD then has 4 domains so we’ve had to duplicate what we’re doing 4 times with ACS group mappings.
Originally we just had one group for User Authentication and another for Machine Authentication which is all for wireless connectivity. Devices mainly connect via the Machine Authentication, but we’ve had a few non-domain devices which have used User Authentication. Both use certificate authentication with our Corporate Microsoft Certificate Authority.
We’ve then added a user authentication group for TACACS devices, so we can log onto switches, routers, ASA's etc and do AAA.
We’ve then had to start adding Blackberry devices and Apple iOS devices.
The latest addition is for guest wireless users who connect to a guest WLC in a dmz.
So we have ended up with in the NT Group Mappings, multiple NT Groups with a mapping to the ACS Group. I am aware that in ACS 4.2 Cisco states that it will try any known external database to authenticate a user and therefore the groups need to be ordered correctly, however this is giving us a problem as a user may exist in multiple groups.
Ideally I want to be able to restrict say a TACACS device (port 49) to only work with the TACACS Users group. I can then look at only allowing the Corporate WLC’s to only work with the corresponding wireless users/machine groups. Then another for the guest WLC users.
I have been looking at the NAR's but its not quite giving me what I want. Can anyone provide some useful information as to whether this is achievable?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...