Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

acs & restrictions

Hi..

Im trying to understan the way acs working with group maping to Active Directory.

What i wan to achive is

1- to have AD group for Wireless users

who are permitet to authenticate and use WLAN

2-to have AD group for VPN users who are permitet to authenticate and use VPN

3-To have AD group for Switch Admin who are permitet to authenticate and manage LAN switches.

For exmeple Some users members i vpn group need as well be member of wireless group in AD..

Is that posible to have? or do i need to setup additionl ACS server for each

2 REPLIES
Community Member

Re: acs & restrictions

First, you will need to have ACS 4.0 or above.

Next, you need to set up group mapping for AD with the following:

AD group wireless = W

AD group VPN = V

AD group Switch mgmt = S

ACS group 1 = W V S

ACS group 2 = W V

ACS group 3 = W S

ACS group 4 = V S

ACS group 5 = W

ACS group 6 = V

ACS group 7 = S

These MUST be set up in the described order.

Note - for 3 non-exclusive AD groups you need to configure 7 ACS groups. This problem will be alleviated in ACS 5.x

Now, in each ACS group mapped with W have a NAR that permits access to the wireless devices, V with a NAR that permits access to VPN devices and S with a NAR that permits access to the switches, such that:

ACS group 1: NAR_w, NAR_v, NAR_s

ACS group 2: NAR_w, NAR_v

and so on.

Community Member

Re: acs & restrictions

Thanks for very good answer im running acs 4.1 wich raise some other questions for me.. :)

1- What will happen if i would apply the Downloadle ACL i would have only for vpn users on

ACS group 1 = W V S

2- Do you know when the version 5.0 will be released..

160
Views
0
Helpful
2
Replies
CreatePlease to create content