Cisco Support Community
Community Member

ACS and VPN3000 and Wireless control

On ACS 3.3, I renamed and mapped ACS_Wireless and ACS_VPN3000 to my respective Active Directory security groups DomainWireless and DomainVPN3000. I want to let only members of these groups have access to those services.

Following the ACS documentation, I go to "Group Setup". I see options "Jump to" there. I picked RADIUS IETF.

My question is this, it is not clear to me how I am going to list there VPN 3000 and Wireless access and control access accordingly ?

Can someone give me a direction on where I need to go next ? On ACS 3.30, "Group Setup" section, on the "Jump to" drop-down list all I can see is now "Cisco IOS/PIX", "Access Restrictions", "IP Address Assignments".

So far it is not clear to me where I will pick the VPN 3000 concentrator access control or Cisco Wireless Access Point control ? I see all options listed for RADIUS IETF, but I don't see how I can control VPN and Wireless using that option ?

Community Member

Re: ACS and VPN3000 and Wireless control

In ACS go to "Interface configuration/advanced options". Enable "Group-Level Network Access Restrictions" Go to your ACS_Wireless group, scroll down and you should see a "per group Defined Network access Res.." Enable this, leave the table definition to "permit calling.." The drop down for "aaa client" should show your NAS device (wireless AP). Under the port put in an asterick as well as for the address. Make sure you hit the "enter" button. Do the same for your VPN group.

This will tie the groups specifically to the NAS groups you specify.

Community Member

Re: ACS and VPN3000 and Wireless control


Just I would like to clarify, When you say "do the same for your VPN group", that means,go again to "Interface configuration/advanced options", enable "Group-Level Network Access Restrictions" , go to your ACS_VPN Group. Then I should enable "per group Device Network Access Res.", pick "permit calling..." then for AAA client I should pick my respective VPN Concentrator AAA client.

I think that is it, but I just wanted to confirm since on that same "AAA client" drop down I had the option to pick "VPN" right there, what I think it is not the case.

You guys are rocking.

CreatePlease to create content