Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

After mapping groups, should I deny all users on ACS ?

I've created and mapped security groups in active directory DomainWirelessOK and DomainVPNOK. I mapped those to ACS_Wireless and ACS_VPN.

In my production environment, currently all users on ACS authenticate using "Default Group".

What's the best way to let only users of ACS_VPN and ACS_Wireless have acccess to resources ? Should I "deny" access to Default group ? Is there any specific order you would setup this ?

Also, if you have suggestions on how I can test this avoiding system disruption please let me know. I thought that I could perhaps include the IP address of few selected Access Points to confirm that mappings work accordingly ?


Re: After mapping groups, should I deny all users on ACS ?


If you add a 3rd mapping to map everything else to "No access" that would lockout members of other AD groups.

Additionally, create two NDGs - one for VPN and one for WLAN. In each ACS group you can setup Network Access Restrictions (NARs) such that the VPN group only has access to the VPN NDG and the same for WLAN.

If a WLAN user authenticated via a device in the VPN NDG they would be rejected & vice versa. This assumes the groups are mutually exclusive which they probably arent. So you might needs to make each of the 2 ACS groups have access to both NDGs.


CreatePlease login to create content