Is the user still present in another database also or did you setup a user with the same username on the internal database? Usually you dont have to use another access service unless you are switching protocols such as tacacs or radius.
You can set another authorization rule (within the same access policy) so that if the user doesnt match the first AD group then you can go down to the one that matches and set the result.
Yes the built in service selection rules come out of the box this way.
In you scenario if you have multiple ad groups and have a requirement on how these group will be authorized within the network, you will first create a policy element in which the authorization profile will be defined for example:
We will define a policy called sales, in it will have the radius av pairs that assign vlan 10, another policy called marketing and the av pairs for vlan 20 are defined.
When you build your access policy you will go to authorization and select the customize button on the bottom right and choose the external groups option by moving it from the left over to the right. When you create your authorization rule you can pick the ad group and select either the sales or marketing authorization profile you created under the results.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :