I am trying to implement LEAP authentication on Access Point. I have a Cisco ACS 3.1 which is integrated into Active Directory. I would like to use group mapping feature for authentication. Ie:- I have created a NT group in active directory and added some users into that group. I want only those userls who are listed in this group to use Wirelss LAN. How can I go about this?
You need to set up group mapping in acs.
ACS--->Ext db--->Group mapping--->windows--->choose domain---> add mapping----> choose NT group and pick one acs group-->submit.
Now you will see the mapping. Now on rest of the user groups, you need to set up NAR , with condition , not allowing them wireless nas.
See this link,
Do rate helpful posts
I could create NT Group Mapping. Where to create NAR? I could find only the below settings under Shared Profile Components.
Shell Command Authorization Set
PIX Command Authorization Set
Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.
You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.
In the NAR
1. Denied Calling/Point of access restrictions
2. AAA Clients = Wireless access points(whatever u called your network device group for wireless)
3. Port = just put a * for all
4. Src IP address = just put a * as well
Click submit to save it.
Go to the ACS User groups section and select all the group " that don't need access to wireless" and apply the NAR you created to that group. The section is called Network Access Restrictions (NAR) under the group area.
Hope this helps and let me know if you need further assistance or explanation.
Currently I have configured my ACS with Active Directory. Users who has set Dialin Permissions can connect to Access Points.
Now I have created a Windows group in domain with 5 members in it and I have mapped that group in ACS to group 10.
Now I want only the members of the group to connect to Access point. How do I do that?
I tried the NAR settings but did not work.
I'm pretty sure that NAR's will work for this.
You need to deny all other groups access to the access points. So if you have 9 other groups other than the "group 10", you need to apply the deny NAR to each group.
Under Groups 1-9 create a NAR to deny calling/point to the access points (network device group) and just put * for port and address. You'll need to submit and restart for the changes to take affect. The box will no allow authentications at the time of the restart so do it when the system is not busy.
I hope I understood your question right, but if not just let me know.
With ACS v3.1 you do not have much options, but if you upgrade to ACS v4.1 you can implement Network Access Profile.
by this you can authorize a group to particular network devices and deny access to other groups.
following link can give more detail:
assign group-mappings to associated NT group and scroll down to group name.
In group name, go to "Per Group Defined Network Access Restrictions", Check the box to implement group NAR, assign the access points to the to this group with AP1 * *. . Scroll down to Denied Calling/Point of Access Location.
Hope this helps.
I am using ACS 3.1 so can not use Network Access Profile. I used the following method which works fine for me. Correct me if I am wrong.
1. Edit the ACS "0 default group" settings. Under NAR, select the check box, Only allow network access when--but do not add any NAR. Please go thru the attachment.
2. Define a NAR to permit access for Network device group "Wireless Access Point"
3. Map a Windows group to ACS group and add that NAR to the group.