Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Acs 5.3 - moving between access services


Currently trying to set up the above so that if an access service is not matched

then it will go to the next one.

Looking at the logs what happens is - our auth is set to AD so it matches

that - then it isnt in the correct ext AD group and goes to default deny access.

Cant see how to get around this - the only continue command is in the advanced

area of the auth - but i cant set up ext ad groups on the auth.

How do i get this to move between access services if it doesnt match the ext AD

group or NDG



Re: Acs 5.3 - moving between access services


Is the user still present in another database also or did you setup a user with the same username on the internal database? Usually you dont have to use another access service unless you are switching protocols such as tacacs or radius.

You can set another authorization rule (within the same access policy) so that if the user doesnt match the first AD group then you can go down to the one that matches and set the result.


Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Re: Acs 5.3 - moving between access services


So Tarik what you are basically saying is that -

If you are using TACACS then you should really use one access service with a number of rules on it.

However is we are also using RADIUS is when we should have another access service for that.


Re: Acs 5.3 - moving between access services

Yes the built in service selection rules come out of the box this way.

In you scenario if you have multiple ad groups and have a requirement on how these group will be authorized within the network, you will first create a policy element in which the authorization profile will be defined for example:

We will define a policy called sales, in it will have the radius av pairs that assign vlan 10, another policy called marketing and the av pairs for vlan 20 are defined.

When you build your access policy you will go to authorization and select the customize button on the bottom right and choose the external groups option by moving it from the left over to the right. When you create your authorization rule you can pick the ad group and select either the sales or marketing authorization profile you created under the results.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
CreatePlease to create content