Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
1
Replies

After mapping groups, should I deny all users on ACS ?

news2010a
Level 3
Level 3

‎08-14-2006 09:02 AM - edited ‎03-10-2019 02:42 PM

I've created and mapped security groups in active directory DomainWirelessOK and DomainVPNOK. I mapped those to ACS_Wireless and ACS_VPN.

In my production environment, currently all users on ACS authenticate using "Default Group".

What's the best way to let only users of ACS_VPN and ACS_Wireless have acccess to resources ? Should I "deny" access to Default group ? Is there any specific order you would setup this ?

Also, if you have suggestions on how I can test this avoiding system disruption please let me know. I thought that I could perhaps include the IP address of few selected Access Points to confirm that mappings work accordingly ?

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎08-14-2006 10:34 AM

Hi

If you add a 3rd mapping to map everything else to "No access" that would lockout members of other AD groups.

Additionally, create two NDGs - one for VPN and one for WLAN. In each ACS group you can setup Network Access Restrictions (NARs) such that the VPN group only has access to the VPN NDG and the same for WLAN.

If a WLAN user authenticated via a device in the VPN NDG they would be rejected & vice versa. This assumes the groups are mutually exclusive which they probably arent. So you might needs to make each of the 2 ACS groups have access to both NDGs.

Darran

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents